What’s new with cybersecurity negotiations: The OEWG 2021–2025 annual report adopted
Updated on 13 December 2022
The third substantive session of the OEWG saw delegations meet to adopt the annual progress report, to provide a clear roadmap for their future work, and to identify specific issues for focused discussions. Spoiler alert: they adopted it by consensus.
However, the text that left a bitter aftertaste in many a delegate’s mouth was mostly described as ‘balanced’ (34 instances), which is, of course, synonymous with ‘everyone disliked it in even measure. It’s no coincidence that we are using a drinking metaphor here: the Chair himself compared the process of putting together a balanced text to putting ingredients into a blender and making a smoothie, and this comparison would be referred to until the end of the third substantive session. A healthy smoothie doesn’t always taste very good. So, bottoms up!
Quotes of the week
‘The working group cannot just be a talk show.’ – Burhan Gafoor
‘I’m very happy to be in the position of receiving hundreds of textual formulations. But I can’t possibly put all of them in a blender and extract the juice of it and come up with a smoothie that will find a smooth way forward.’ – Burhan Gafoor
‘We understand the craving of all of us to have some more tasty ingredients in this smoothie.’ – The representative of India
‘Turning to paragraph 5 […] It also asks for the effective participation of women and we’d like to request that the word effective be changed to the two words, full and equal. This is because there is no requirement for men’s participation to be effective and so this shouldn’t apply to women.’ – The representative of Australia
‘Finally, after this, I think we all deserve a drink.’ – The representative of Singapore
Before the substantive issues could be discussed, members had to adopt a procedural item first: the modalities of stakeholder engagement in the OEWG.
In the running up to the third substantive session, stakeholders – businesses, NGOs, academia, and the technical community, applied to provide input to the OEWG. The states had the possibility to veto the participation of stakeholders that did not have the UN ECOSOC consultancy status. Many of such stakeholders (27) have been vetoed by Russia, which triggered a discussion on stakeholder participation.
Among the countries that used the veto, Russia and Ukraine shared their reasoning. Russia said that the states have the sovereign right to work in the area of ICT security and that Russia’s actions were strictly in accordance with modalities for members of the OEWG, which state that the countries are not obliged to inform the Chair of the reasons for their veto – it is only voluntary. Russia has proceeded based on appropriateness and relevance in terms of the OEWG mandate in considering the stakeholder applications. Ukraine, who blocked some of the Russian stakeholders, noted that a few organisations from Russia are ‘clearly state affiliated entities’, while the OEWG should benefit from contributions made by independent NGOs.
The delegations also discussed stakeholder inputs and their relevance with regard to specific issues – international law, existing and potential threats, the CBMs, and capacity building.
Switzerland, New Zealand, Croatia, Italy, Estonia, Ireland, the UK, Romania, Finland, Latvia, and Denmark, Canada, the EU, Switzerland in its national capacity, Ireland, Chile, the UK, Finland, Latvia, New Zealand, Denmark, and others expressed their support for the stakeholders to be part of the discussion and encouraged Russia to provide an explanation of its position on the stakeholder engagement.
Regarding stakeholder engagement in general, El Salvador highlighted the contributions of academia, the NGOs – civil society and through the generation of specialised documents. Iraq stressed the need to benefit from the important role of stakeholders and tackling potential threats in cyberspace and in the ICT sector in general, given their experience in this field. Peru highlighted the need for stakeholders’ engagement in the OEWG process according to the agreed modalities.
China noted that discussions by any regional organisation are not more important than deliberations at the UN. Kenya highlighted the central role played by sub-regional and regional bodies in the sharing of technical information, including relevant, threat intelligence.
Costa Rica noted that information about threats and the response to incidents is an area where stakeholders such as CERTs, communities, and tech companies have greatly added value.
China and Nicaragua noted that the development of the common understanding on international law remained the exclusive prerogative of states, and China asked to delete the text on inputs from interested stakeholders, including business and non-governmental organisations and academia. The Islamic Republic of Iran stated that the national systems, mechanisms, and priorities should be ensured in any engagement with stakeholders on aspects of confidence-building measures. Iran also believes that only those stakeholders whose accreditation has already been approved by states on a known objection basis, according to the agreed modalities, can engage capacity building aspects. The Netherlands, on behalf of the international law group, noted that the development of common understandings on international law remains the exclusive prerogative of states, and proposed that discussions at the OEWG could benefit from experts from the International Committee of the Red Cross and the UN such as the International Law Commission, as well as interested stakeholders, including business, non-governmental organisations, and academia. The Republic of Korea stated that the understanding [of how international law applies] can also be further developed by other entities, such as academia, through legal interpretation of the international law, and that a useful way of developing such a common understanding is through voluntary sharing of national views on how international law applies in the use of ICTs. Costa Rica would like the OEWG to dedicate sessions or established subgroups to study specific issues of international law. Brazil believes that briefings with experts, particularly such expert organisations that have a standing invitation to participate as an observer in the work of the OEWG, is welcome. The same opinion on expert briefings were requested by Canada, Australia, Mexico, and the Republic of Korea. Iran prefers to include briefings from relevant bodies within the UN, such as the ILC, instead of expert briefings.
Outcome: The modalities of stakeholder engagement in the OEWG were adopted by consensus.
Discussions on substantive issues
Discussions on substantive issues (i.e. agenda item 5) were based on the Rev. 1 of the first annual progress report of the OEWG as delivered to the delegations on 20 July 2022.
Three points were raised during the discussion on the introductory part of the report: the aquis, the role of regional organisations, and gender parity.
The discussion on what constitutes the acquis, i.e. the legal framework which is already agreed upon and is the base for the work of the 2021-2025 OEWG (OEWG), has continued. The majority of the states consider previous UN GGE and UN OEWG reports as the base for the OEWG work to build on. Nicaragua and Cuba, however, find that the UN GGE report of 2021 is not a part of the acquis because of the restrictive nature of the Group of Governmental Experts (GGE). Russia similarly stated that the basis of the OEWG’s work is the report of the previous OEWG. Nicaragua and Cuba also requested a reference to the UNGA Resolution 75/240 that created the current OEWG.
Outcome: The consensus report of the 2021 OEWG and the consensus reports of the 2010, 2013, 2015, and 2021 GGEs were acknowledged as the acquis in the annual progress report.
Countries also welcomed the acknowledgement of the efforts of regional and sub-regional organisations in the field of security in the use of the ICTs.
Outcome: The paragraph remained largely unchanged in the annual progress report.
States have addressed the issue of gender parity in cybersecurity and its importance for the work of the OEWG. China has noted that the OEWG should not discuss issues unrelated to its mandate.
Outcome: The paragraph remained in the annual progress report.
The key question during the discussions was how exhaustive should the list of threats in the report be. France noted that the annual report needs to contain a description of threats,and that some threats could be recalled more explicitly. The USA and Canada similarly stated that more work on the section is needed. Canada noted that this section lays the table for the rest of the report, which is basically about how to address the threats, while the USA highlighted that discussions about best practices and network defence lies outside of the OEWG’s remit. Brazil, Argentina, Mexico, Sri Lanka, and the EU noted that an exhaustive list of threats would be impossible to agree upon.
The inclusion of data security as one of the topics that is under the OEWG’s mandate was welcomed by China and Kenya. However, the EU noted that welcoming discussion on data security initiatives remains premature.
The fact that the context of armed conflict due to the war in Ukraine should be reflected in the report was brought up by Ukraine itself, New Zealand, the USA, Canada, Netherlands, Australia. Germany also highlighted the military use of the ICTs, Japan highlighted malicious use of the ICTs in conjunction with military action, while Vietnam added threat, or the use of force as elements the report should contain.
Ransomware as a threat to critical infrastructure should be added under the threats section of the report, Canada, Costa Rica, EU, Mauritius, Colombia, Czech Republic, Israel, and ICC noted. China volleyed back: by discussing the issue of ransomware, is the OEWG discussing cybercrime? Russia also stated that they consider ransomware a cybercrime. Brazil underlined a contextual based approach: ransomware is relevant for the OEWG when it reaches the level of threat to international security And in most cases ransomware will be more pertinent to cybercrime. Australia agreed with this view, saying that the inclusion of ransomware in the wording of the annual report is not a red line, and that it is more important to capture the evolving nature of threats. Jordan thinks that ransomware should both be present the report of this OEWG and in the cybercrime treaty.
There were strong calls for the protection of critical infrastructure (CI) and critical information infrastructure (CII) made by the Philippines, the Netherlands, and Singapore, with Singapore underlying crossborder CII. Adding measures to solve vulnerabilities in OTT and IoT technologies was suggested by Singapore, while Israel also noted threats against the OT and added SCADA to the discussions.The EU cautioned that the proposal to agree on the list of critical infrastructures will not allow for consensus discussion between states.
Other threats were brought up as well. For instance, Kenya put forward violent extremism and terrorist activities, as well as online threats to child safety and vulnerable groups. The security implications of new and emerging technologies were noted by the USA, Brazil, Germany. Pakistan underlined that measures to counter disinformation and fake news and measures for the timely disclosure of vulnerabilities should be added to the text.
Cameroon suggested the creation of a permanent platform for support and discussions on new threats, as well as an urgent response to emergencies.
Outcomes: The report acknowledges ‘a challenging geopolitical environment with rising concern over the malicious use of ICTs by State and non-state actors targeting critical infrastructure and essential service’, but does not explicitly state it is due to the Ukraine war. Data security has remained in the report as a part of the OEWG’s mandate. The report notes that the ever evolving properties and characteristics of emerging technologies also expand the attack surface, creating new vectors and vulnerabilities that can be exploited for malicious ICT activity. Malicious use of the ICTs by terrorist is also mentioned in the report. Most shockingly, the report does not contain a single mention of ransomware, which has long featured as the threat most countries were concerned about.
The discussion revolved around whether the OEWG should focus on the implementation of existing voluntary norms of responsible state behaviour, development of new norms, or both.
The majority of the states, such as Germany, the USA, Canada, Czechia, have stated that focus should be given to the implementation of existing norms with states working together to provide additional guidance to advance norm implementation, as well as elaborating on the conclusions and recommendations. Kenya proposed setting up OEWG work groups to share best practices, especially on how the existing rules, norms and principles can be contextualised in translation to national policies.
Iran, however, was stridently against calling the proposals for implementation of existing norms ‘action-oriented’ proposals. That would prioritise the sufficiency of implementing the norms and dismiss the necessity of negotiating a legal binding instrument, Iran noted. Adopting a concrete action oriented approach would convert the OEWG into a proposed PoA structure to implement the framework of the GEE 2015 report framework, which is contrary to the mandate of the OEWG.
Iran and Russia remained adamant on the need for new norms, with Russia suggesting new legally binding norms, which was opposed by Canada and Mauritius.
Conversely, South Africa, Botswana, and the Democratic Republic of Congo stressed that developing additional norms can’t be done at the same time as the implementation of existing ones. New norms will place a burden on small developing states.
Some countries, such as Peru, Nicaragua, Indonesia, the Republic of Korea, and Singapore underscored the implementation of the existing norms but do not oppose the development of new ones. Singapore noted that areas which could benefit from discussions on new norms or further implementation of the existing norms include the protection of electoral infrastructure and the general integrity and availability of the internet.
Another strain of conversation around norms was developing common understandings on technical ICT terms. China, Iran, Cuba, Lao PDR, and Nicaragua welcomed it. Australia was against it, while the Netherlands and the USA proposed that states could share national understandings of ICT terms for the purpose of transparency.
Outcomes: The annual report acknowledges that states proposed that additional norms could continue to be developed over time. The term ‘action oriented’ remained in the report as well. Developing common understandings on technical ICT terms has not been included in the report.
Are voluntary norms enough, or are new legally binding obligations/a new legally binding instrument needed is the question that the OEWG has been debating over and over again. Pakistan, Democratic Republic of Congo, Russia, Iran, Nicaragua, Egypt highlighted the need to continue the discussion on a legally binding agreement. Pakistan stated that norms are effective in peacetime and lose efficacy in an event of a conflict. Peru and the Netherlands (on behalf of the informal international law’’ group) did not exclude the necessity of adopting a legally binding instrument in the future.
This time, centre stage was taken by discussions on the application of the international humanitarian law (IHL) to cyberspace.
Switzerland, on behalf of the delegations of sixteen countries, (Argentina, Brazil, Canada, Chile, Colombia, the Czech Republic, Estonia, Germany, Indonesia, Japan, Jordan, Mexico, the Netherlands, Republic of Korea, Senegal, Sweden) provided a statement saying that international humanitarian law (IHL) applies in cyberspace and noting that it is a priority to clarify how it applies regarding cyber operations in armed conflicts. These states see the adherence to the IHL of paramount importance as it offers fundamental protections and reduces the risks and potential harm to both civilians and civilian objects (IT infrastructure of hospitals or schools) and to combatants from cyber operations in the context of armed conflict. These countries also see the discussion on the IHL taking place under the auspices of OEWG 2021–2025 that includes briefings from experts, and encourage organising a focused discussion on the IHL during the next session of the OEWG.
The UK, Congo, Ecuador, New Zealand, Ireland, Croatia, Canada, Peru, Romania, Brazil, Finland, Senegal, Costa Rica, Japan, El Salvador, Fiji in their national capacity, Mexico, and Czech Republic supported this statement and its content. Austria, the Netherlands, France also suggested that the International Committee of the Red Cross (ICRC) is referenced in the report. Brazil stated that the ICRC does not have to be explicitly mentioned, as the OEWG remains intergovernmental.
Nicaragua and Cuba stated that it is not relevant to even talk about the applicability of international humanitarian law to the use of ICTs in the context of international security since it would imply that the states tacitly accept the possibility of an armed conflict that would contribute to militarisation in cyberspace and would be the first step towards an armed cyberattack.
Cuba, Russia, and the Islamic Republic of Iran were against mentioning the IHL in the annual report. Pakistan noted that IHL demands further politically neutral discussions among states for the development of common understanding.
The Republic of Korea has welcomed the mention of the due diligence principle and the IHL. Iran, on the other hand, prefered to delete any specific reference to due diligence and exchanges of best practices on international law, believing them to be premature. Portugal suggested that some form of the due diligence norm applicable to the private sector could be devised, with scholars being invited to make written contributions to this debate. A small group of member states should then write a food for thought non-paper to foster further debate on the viability of a due diligence code of conduct.
Cyber attribution was brought forward by Pakistan, Indonesia, Malaysia, and Germany.
Outcomes: The possibility of developing a legally binding agreement and international humanitarian law in the situations of armed conflict were only mentioned as part of OEWG 2021 report recommendations. The ICRC was not mentioned in the report. Due diligence was listed as one of the topics states proposed for further discussion. Cyber attribution was not mentioned in the report.
The idea of a global directory of ICT points of contacts (PoC) has been enjoying support during this OEWG, with many countries using this session to underline that a recommendation for this directory should be included in the annual progress report. Singapore suggested that this directory can be coordinated by UNODA, while Malaysia and the Netherlands suggested leveraging the existing PoCs within regional and sub-regional platforms.
The informal ‘confidence builder’ group, which includes Australia, Brazil, Canada, Germany, Israel, Mexico, the Netherlands, the Republic of Korea, and Singapore, also noted that the PoC directory should build upon the existing regional efforts and should be complementary to the existing regional efforts. Modalities of the PoC can be discussed in further sessions, this group noted.
Russia noted that the creation of a registry of PoCs is a ‘strategically urgent task’ as it would establish direct ties and cooperation between relevant agencies. It would also ease threats and tensions as regards to conflicts and misunderstandings and incidents in the ICT realm. Russia submitted its proposal to this effect.
We can expect more countries to share their views on the topic. The UN Secretariat is requested to seek those views and produce a background information paper on them by the end of January 2023, which will feed into discussions during the fourth and fifth sessions of the OEWG.
Outcomes: Creating a global directory of ICT PoCs is among the recommended further steps listed in the report, to be discussed at the fourth and fifth sessions of the OEWG. The significant work done by regional organisations on the CBMs is also recognised in the section on the CBMs.
Regional organisations such as the African Union, the CSTO, the EU, the OSCE, the OAS, the SCO shared their ongoing projects and programs in the CBMs and capacity building. Gafoor noticed that it was the first time for the OEWG to hear directly from regional organisations.
Thailand and Costa Rica suggested integrating capacity-building efforts into 2030 Sustainable development Agenda, to connect the OEWG to the SDGs.
Thailand and Singapore requested that the UN Secretariat designate the ICT capacity-building focal point. The EU, Canada, and New Zealand did not support this, noting that it’s better to use existing platforms and initiatives like the GFCE and regional efforts and ensure complementarity between them. Botswana, the USA, and Fiji on behalf of Pacific Island Forum also noted the importance of the GFCE’s work.
The ICC suggested the elaboration of cyber development goals (CDG), which would primarily be a common capacity-building tool at the national level and would depend on states’ commitment to systematically track and report on implementation. This would bring clarity to what remains to be done to implement the existing cybersecurity framework in all states and allow the development of a targeted capacity.
The USA stated that, in capacity building, the OEWG should focus on articulating how capacity building can enable more states to implement and adhere to their commitments to the norms of responsible state behaviour. The USA was against including any capacity-building initiatives within the OEWG in the annual report that were not previously discussed by the states, and pointed out the existing capacity-building initiatives within the World Bank, the ITU, and the GFCE.
Referring to the suggestions for the UN Secretariat to take a role in capacity-building coordination, Germany stated that the OEWG, in capacity-building efforts, should build upon existing institutional structures and bring in the expertise of all stakeholders, including the UN and other multilateral organisations, as well as the civil society actors such as the Global Forum of Cyber Expertise, when it comes to detailed coordination of activities. Germany considers the role of the OEWG in setting the framework for cyber capacity building and suggests elaborating on concrete proposals how this can best be achieved during the upcoming sessions or the intersessional period. The Netherlands proposed to discuss the role of the UN Secretariat in the upcoming OEWG meetings, while Finland stated that it does not see value in this way forward.
Fiji, on behalf of the Pacific Islands Forum, emphasised the high priority of the capacity-building section and the importance of effective coordination of capacity-building efforts. Particular consideration should be given to the special circumstances of small island developing states, and there is a need for a coordinated capacity-building framework with recognition of already existing efforts by the UN and regional organisations, such as the GFCE and UNIDIR.
The Islamic Republic of Iran considers the OEWG as a negotiation process and not an implementation process. Therefore, the OEWG cannot take on capacity-building coordination. Instead, Iran proposed that the ITU take over the capacity-building coordination in the ICT as a permanent mechanism. That should include not only the exchange of information and coordination, but encouraging and facilitating non-discriminatory access of all states to ICT-related products, services, equipment, network, science, and technology.
Indonesia emphasised the issue of capacity building being related to the capacity to identify and classify the existing and potential threats. Cameroon and Fiji in its national capacity noted the need for climate resilient infrastructure.
A dedicated stakeholder session focused on how stakeholders support capacity building, the best practices and lessons learned, and any comments on the draft annual report. Seventeen organisations took the floor, presenting a variety of training, both local and regional, organised for diplomats, governmental agencies, women, youth, and vulnerable groups.
Besides sharing extensive expertise, some delegates offered recommendations for the annual report. For example, the EUISS (in the same manner as the ICC) proposed to consider a catalogue of concrete cyber capability goals to be achieved by the international community by 2030 with the aim to support states in meeting their commitments reflected in the GGE and the OEWG reports. Also, the EUISS recommended to include mentions of the role of informal track 1.5 diplomacy in the report.
There were voices upholding the Swiss proposal concerning the IHL (AccessNow, Foundation Charisma).
The Paris Peace Forum stressed that stakeholders need to be involved in all steps of the cooperation in a regular and continuous manner, from the conception to the implementation phase of any agreed initiatives.
Global Partners Digital recommended that, in developing additional guidance or checklists on Norms, implementation states do so in consultation with stakeholders in their countries and regions.
Several delegates also pointed to the necessity to include ransomware into the threat list and the need to recognise the growing participation of a mercenary industry in the spread of cyberattacks and the responsibility of those states that promote them.
Notably, this time, the voice of youth was heard. Youth for Privacy called for more representation of youth in negotiations: ‘There is no better way to bolster this working group’s capacity-building efforts, than to sponsor an international cohort of Youth delegates to attend the 4th and 5th sessions of OEWG’. Their comments for the draft report considered privacy issues and digital rights.
Canada expressed regret that not all organisations who could have shared views such as Cyberpeace Institute, Microsoft, Chatham House, and others, were accredited to attend the OEWG. For this reason Canada plans to incorporate views of stakeholders into their text proposals and encourage other delegations to do so.
Finally, several delegates from states and organisations pointed to the fact that stakeholders may be useful not only in capacity-building efforts, but in other directions too, as their experience shows. However, the overall impression from the dedicated session left the opposite feeling. Especially, given the fact that many stakeholders with expertise in norms and CBMs and International law were vetoed from formal participation.
At the end of the session, Gafoor made a statement reminding delegates of the difficult way of finding consensus among member states and drew stakeholders’ attention to the fact that including each and every recommendation into the report is not possible, though the text must be balanced to meet the minimum of expectations.
After the stakeholder’s session, the OEWG listened to the presentations from UNIDIR on lessons from capacity-building efforts for biological weapons convention, the chemical weapons convention, as well as the PoA on small arms and light weapons.
Regular institutional dialogue
The question of whether a Programme of Action will be established or not, and what would its purpose be, is still a point of contention. Countries which are co-sponsors of the PoA voiced their support for the PoA. Some countries, such as Colombia, El Salvador, Canada suggested that the PoA should be the future institutional dialogue to implement the aquis. France and Korea suggested that it may become a permanent mechanism for capacity building.
The OEWG is still preferred by Russia and Iran. Russia stated that the institutional dialogue should be pursued through continued work of the OEWG, noting that the OEWG could become a permanent mechanism. Iran stated that the OEWG should remain the only negotiating mechanism within the UN on the security and in the use of the ICTs. However, these two countries and Thailand supported the proposal in the draft report that the scope, contents, and other elements of a PoA should be discussed within the OEWG.
Outcome: The annual progress report recognised the centrality of the OEWG as the mechanism within the UN for dialogue on security in the use of the ICTs. States will also engage in focused discussions on the relationship between the PoA and the OEWG, and on the scope, content, and structure of a PoA.
The Secretariat will create a compendium of countries’ statements in explanation of positions on the annual progress report.
States are invited to submit their view on global points of contact directory by 25 November 2022.
An intersessional meeting on CBMs will be held 5–9 December 2022 with states, regional and sub-regional organisations, and interested stakeholders as appropriate to discuss topics which could support and foster confidence building. Other sections are specifically to be discussed at 4th and 5th session. The intersessional meeting will be held in New York, with the hybrid option made available for those delegations who may not be able to participate in person.
The OEWG will meet on 6-10 March 2023 for its fourth substantive session.