What’s new with cybersecurity negotiations: OEWG 2021-2025 second substantive session

The UN Open-Ended Working Group (OEWG) on cyber, which will be active until 2025, held its second substantive session. The discussions were overtaken by an organisational issue that should have been solved at the very start of the group’s work, in June 2021. The ground the OEWG is standing on has started to shake, as the usefulness of the previously agreed-upon framework is being called into question by some. There is, however, room for progress based on agreed confidence-building measures (CBMs) and capacity building, while the future of regular institutional dialogue looks as murky as ever. Let’s take an analytical look at the developments and prospects.

A stumbling stone: modus operandi

The question of the ways non-governmental stakeholders will participate in the OEWG has plagued the process since its organisational session in June 2021. The first substantive session in December 2021 saw the member states set the question aside, adopt the programme of work of the first substantive session, and discuss the substantive issues on its agenda. The second substantive session in March 2022 did not go this way. It was noted by the very first speaker – the UK – that undecided modes of multistakeholder participation are an obstacle to adopting the programme of work of the second session. 

Why is it important to adopt a programme of work? Because it is UN practice to switch to informal mode of work otherwise. In this OEWG, a switch to informal mode of work brought about a lot of confusion, namely, whether it is in line with the OEWG mandate and the allocated budgets, and whether delegations’ inputs would be taken into account when writing the annual report. The informal mode of work may have contributed to a more open exchange of opinions between the states and the setting of priority issues that have not been discussed in detail before.

While the collective West (USA, EU, and allies) was supporting the switch to informal mode, those that typically disagree with them, e.g. Russia and Cuba were against it. Interestingly, the Chair took a long time to say it was in fact his proposal to work in informal mode – he only clarified this during the third meeting of the session, and proceeded to suspend the formal meeting, effectively switching to informal mode. From there on, even as there was no consensus on working in informal mode, each meeting was opened and soon formally closed, and discussions then proceeded in informal mode.

(Undecided) Modes of multistakeholder participation

The oft-mentioned proposal by India was apparently to use the modalities of the OEWG 2019-2021, i.e. engage with non-governmental stakeholders in sessions in consultations separate from formal sessions, for one year. Chair’s Rev.1 document was also mentioned. However, neither one of these two documents seems to be available to the public, which hurts the transparency of the process. Neither of the proposals was adopted.

Another option mentioned was to follow what the OEWG on conventional ammunition has done in this regard. To the best of our ability to research it, the mode this OEWG uses is to 

• allow organisations that have observer status with the General Assembly and ECOSOC-accredited to participate; 
• allow other relevant non-governmental organisations to apply to the Secretariat for accreditation, the Secretariat circulates the list of such organisations, and the OEWG considers and takes decisions on applications that states objected against at the beginning of each of its sessions.

However, it was also noted that when the modalities in the OEWG on ammunition were elaborated, it was stressed they will not serve as an example for other UN processes. 

Russia and Iran were claiming the collective West wants to distract the OEWG from discussing substantive issues, and as for the second session, the discussion on modalities did delay the substantive ones.

It is relevant to observe that, probably also due to the lack of agreed working modalities, some states turned to self-organising into ad-hoc groups. Germany, along with a number of other countries, convened an open cross-regional group on the implementation of CBMs, focused on cross-regional exchange within the OEWG. According to the conveners, the group was open to all the interested states to join, and many countries expressed support and interest in participating in such a group. Interestingly, the group also announced a report on its current findings to be submitted soon to the OEWG portal.

It remains to be seen whether more groups will self-organise in the future to discuss specific topics and open questions – and whether this will enhance cooperation and productivity or cause further challenges for the working modalities in making. The Chair, as well as several states, expressed hope that the issue would be solved by July so delegations could adopt the programme of work at the next session (25-29 July 2022).

Existing and potential threats vis-a-vis the Ukraine conflict

The Ukraine crisis heavily impacted the discussion on threats, with the majority of participants calling on Russia to stop cyberattacks on Ukraine’s information resources and fake news campaigns.

Russia, on the other hand, brought up two new threats to states in cyberspace: disconnecting a country from the internet and cutting it off from the international payment system. It was referring to the fact that it was cut off from SWIFT, noting that it is ‘technically possible because the management of such a system is in the hands of just one or a very narrow group of countries’. This is the first time that such examples were brought into OEWG discussions, as such events were unprecedented. Along those lines, Iran and Cuba warned that states should refrain from adopting unilateral coercive measures that might restrict or prevent universal access to ICT.

International law and norms: ‘Yes, but’

Many countries, including Argentina, Australia, Brazil, Canada, Japan, Kenya, the Republic of Korea, the USA, and EU member states, confirmed that the framework of responsible state behaviour adopted by the UN General Assembly in 2021 – based on 2010, 2013, 2015, 2021 GGE and 2021 OEWG consensus reports – is the basis for the work of the OEWG 2021-2025. China also stated that the framework is an important consensus of the UN information security process and it should be fully, completely. and accurately implemented. Russia referred to the OEWG recommendations of 2021 (including the states’ proposals in the Chair’s Summary) in terms of the basis for the development of further rules; yet, it also stated that – in light of the extremely large number of unresolved issues related to the applicability of international law – the existing legal framework is practically useless, and expressed the need for an international legally binding instrument instead.

Similarly, many states – including India and Mexico – confirmed that international law, including the UN Charter in its entirety, applies to the use of ICT by states. Belarus, together with Cuba, Iran, Russia, and Syria did not fully agree. Cuba specifically rejected the automatic application of international humanitarian law in cyberspace and any reinterpretation or application of Art. 51 of the UN Charter in the area of cybersecurity. 

The norms of responsible state behaviour in cyberspace, outlined in the agreed framework, were also reiterated by a number of countries. Yet, while some states, like the EU, Australia and Japan, would like to focus on the implementation of the current norms, others like Russia, Belarus, and Cuba find them insufficient. 

The need for a new legally binding instrument that would regulate the use of ICT by states remains an important question at the OEWG. Most countries do not see the need to develop a new legally binding instrument, with Australia, Estonia, the EU, France, Ireland, and Switzerland explicitly opposing such a proposal saying it would mean a significant setback in the efforts to advance international security and stability that would lead to confusion and misunderstanding. On the other hand, Belarus, together with Cuba, Iran, the Russian Federation, and Syria called for the development of a new single international legally binding instrument. China would like to see the OEWG pursuing its global initiative on data security, with a view to providing a blueprint for possible global rules.

There were suggestions to move towards thematic discussions in dedicated groups on specific topics of how international law applies with experts involved, either within the regular OEWG or during the inter-sessional periods. Should these groups be put in place, we can expect that, in addition to the applicability of humanitarian law, the states would discuss the most pressing questions related to cybersecurity in the current geopolitical situation: what constitutes a breach of sovereignty, attribution of internationally wrongful acts, substantiation of such attribution, the difference between legal, technical, and political attribution, obligations of due diligence, and the protection of critical infrastructure, especially health facilities.

Space for possible agreements

A national survey of implementation

One field of possible progress might be confidence-building measures (CBMs). An old proposal was tabled by Mexico to establish a national survey of implementation of the UN framework as a practical mechanism for countries to map their own actions that contribute to building confidence, and share best practices with others. This led to the establishment of a repository – introduced by Australia hosted by UNIDIR at its Cyber Policy Portal – of national policies and strategies, positions on the applicability of international law in cyberspace, contact points, etc.

On one hand, this increases the transparency about how countries approach cybersecurity, which in turn would reduce chances for misunderstanding among diplomats, as well as states’ technical experts. On the other hand, the repository may also play an important role in capacity building: developing countries may learn from others about practical ways to uphold the agreed framework through the work on national policies and strategies, capacities of CERTs, and shaping positions about international law – and proudly showcase their progress in future OEWG statements and submissions.

Establishing points of contact (PoCs)

An even more important achievement may be anticipated in the long run. The severity and impact of various global cyber incidents in the past years have nudged experts to question if an operational body of diplomats could be created to address crises as they emerge – much like how CERTs already function rather well in networks like FIRST. The shapes of such a formation seem to be emerging from a CBM agreed upon in the OEWG and GGE in 2021: that states should consider nominating a national Point of Contact (PoC) at the technical, policy, and diplomatic levels (if not also law enforcement or other), and work on establishing a PoC directory at the global level. 

There seemed to be a general agreement in the second OEWG session – including by states with typically opposing views, such as the USA and Russia – that this directory should further be turned into an active, operational, and regularly tested network. There is still a diversity of views on what such a network would do: from running regular table-top exercises and exchanging information about incidents, reacting to requests from other states in relation to malicious activities, to becoming an international coordination mechanism for detecting, preventing, and responding to attacks, with a 24/7 system and hotlines for crisis management. 

Protocols and procedures for communications among PoC, especially during crises, are likely to be discussed at the next OEWG meetings. But – first things first: states should nominate their PoCs, so that the directory – likely hosted through the UNIDIR Cyber Policy Portal – could be formed.

Capacity building 

Another field of possible progress might be capacity building. Both developed and developing countries expressed support for the Cybersecurity Capacity Maturity Model (CMM), developed by the Oxford Centre, which would allow developing countries to better set priorities for capacity development; and for the Programme of Action (PoA) that would operationalise the coordination, cooperation, and support of tailored capacity building on states’ assessments. There were also multiple calls to increase international coordination using existing organisations such as the Global Forum on Cyber Expertise (GFCE) and their existing tools and networks.

We can expect further consultations on a new ‘mechanism’ that would allow compiling lessons learned, and publishing comparative studies on different regional organisations that offer capacity building programmes in the form of a calendar. Such a mechanism would make it easier for countries to find suitable capacity-building initiatives. Given the fact that different countries have raised the role of UNIDIR and the potential of its Cyber Policy Portal, we might expect it to take up and elaborate on some of these initiatives.

Regular institutional dialogue

The cyber PoA got more support this year: 57 states, as well as the EU, expressed the desire to establish PoA as a permanent institutional mechanism. While the PoA was imagined as a complimentary track for the OEWG, there is still a minority of states that pointed out that the OEWG should remain the only negotiating platform for cyber issues. Their opposition might not matter – the co-sponsors’ original PoA proposal suggested that ‘a resolution could be adopted at the First Committee of UNGA to establish the PoA’, and decisions in the First Committee are made by the majority of votes of members present and voting. Co-sponsors promised to enhance the PoA working paper with practical steps for its establishment before the July session.

What’s next for the OEWG 2021-2025?

The countries will be negotiating modes of multistakeholder engagement in the intersessional period with the hope of agreeing on a certain mode until the third substantive session, scheduled for 25-29 July 2022. From our point of view, it is uncertain what basis they will even negotiate on as all proposals so far have been shut down. The Chair certainly has his work cut out for him on this front.

With the support of the Secretariat (UNODA), the Chair will prepare and circulate a draft annual report six weeks before the July session. We can only assume that it will encompass the June organisational session, the December 2021 session, and the March 2022 session.

As mentioned above, co-sponsors will further elaborate on the PoA proposal. It is probable that the proposal will be tabled to the First Committee this autumn.

Predictions in international relations are a tricky thing, but we are confident about this one anyway: states will continue to show their teeth and the period of constructive engagement and compromising will start towards the end of the OEWG mandate. In the meantime, there is moderate hope for some smaller ‘quick wins’ to boost optimism.