What’s new with cybersecurity negotiations? The second cyber OEWG’s organisational session

Two weeks ago, the second cyber Open-Ended Working Group (OEWG), which will be active until 2025, held its first organisational session to determine how and when it will conduct its work.

This second cyber OEWG started less than three months after the first one finished. Its chair was elected with no objections from other delegates (in UN-speak: by acclamation).

However, Mr Burhan Gafoor, Ambassador and Permanent Representative of Singapore to the UN in New York, noted something quite interesting in his first address as the chair of the OEWG: he had found out only a few days prior that he was nominated for the post. Gafoor stated that he hadn’t had the time to reach out to as many delegations as he would have wanted. It could explain why the session lasted one instead of two days – the chair might have wished to familiarise himself with the delegations’ positions. In the end, the organisational session ended with more questions than answers.

Acting on consensus?

At the very beginning of the session, Russia threw a curveball suggesting that the organisational note be amended to limit the consensus requirement only for the decisions of the cyber OEWG. Practically speaking, states would not have to agree on procedural and organisational matters unanimously. This would allow any country to limit which issues would be on the agenda.

Still, for the most part, delegates stated that the work of the second cyber OEWG is based on consensus. The chair stated that, as a subsidiary body of the UN General Assembly (UNGA), the OEWG will follow UNGA procedural rules, which include acting and taking all the decisions on a consensus basis. The states adopted this without objections.

How to facilitate other stakeholders’ engagement?

Unsurprisingly, all delegations which touched upon multistakeholder dialogue expressed their support for it. However, less than a third spoke about the way it should be organised. Half of them suggested that the example of the first OEWG should be followed, where other stakeholders were involved via informal multistakeholder consultations. The other half suggested that non-government stakeholders have a more formalised mechanism to participate, whether through formal sessions or subgroups.

To make everyone equally (un)happy, the working group can go for the common denominator: including businesses, NGOs with UN Economic and Social Council (ECOSOC) consultative status, and academia in intersessional consultations, with no role in decision-making.

Will there be thematic subgroups?

The resolution which created the second cyber OEWG, allows for a possibility of thematic subgroups, and this was the most addressed topic of the session. Several proposals were voiced on creating subgroups – from setting up equal thematic subgroups to creating a hierarchy between the subgroups. However, detailed discussion did not take place.

No proposals were made about the membership of these groups or the way these would operate. Over the course of the first OEWG, over 100 delegations took the floor, and 66 delegations took the floor during its last substantive session in March 2021. If the participation in subgroups were open to all delegations (as it should be), it would hinder the functioning of the subgroups and further strain the resources of small and developing countries participating in the OEWG.

What is clear is that the subgroups would meet between substantive sessions, which is a good way to keep delegations continuously engaged in the OEWG process over a long period of time -four years to be precise.

However, it remains unclear what mechanisms can be put into place to ensure the timely input of subgroup discussions into the substantive discussions. Several delegations brought up the idea that each subgroup should elect two chairs, one from a developed and one from a developing nation, who would communicate the results to Gafoor. The notion that the chair of the OEWG should be the lynchpin and preside over all subgroups was also brought up, but did not gain  the support of more than two countries

It was noted by a few delegates that subgroups, if established, should be held sequentially to respect the needs of small delegations as they cannot attend many parallel meetings.

An observation can be made here; it would be up to each delegation to decide whether they would want to send multiple representatives to each follow the work of a subgroup, or one representative to follow the work of all subgroups. The formation of subgroups would most likely mean in-depth discussions on pre-set topics, and it is unlikely all countries have the expertise and presence in New York necessary to meaningfully participate in discussions.

Fears about subgroups fragmenting discussions – as the topics discussed are mutually interdependent and one cannot be deemed more important than the other – and the consensus, were repeated incessantly. Six delegations rejected the idea of subgroups due to these reasons.

As the OEWG is acting under consensus, it is likely that thematic subgroups either won’t be established, or if established at all, they will be held sparsely, perhaps cutting into the possibility of diving in depth into discussions.

The complementarity of UN processes

Those that follow cybersecurity negotiations at the UN know that there are multiple processes discussing the peaceful use of ICTs. These are the second cyber OEWG, the Group of Governmental Experts (GGE), and the proposal of the Programme of Action (PoA) which would establish a permanent process for discussions. The PoA proposal has wide support from the UN member states.

Five delegations suggested the proposed PoA to be discussed in this OEWG, and one of it’s main co-sponsors France stressed that there is work underway to ensure the complementarity of the PoA and OEWG. Three delegations underlined the complementarity between the OEWG and GGE. It seems that Russia is not opposed to the GGE format either, as its elaborate proposal of subgroups did not include an OEWG subgroup on norms, rules, and principles of state behaviour. This could be quite telling – the country may have been one of the most vocal co-sponsors of the OEWG in 2019, but it is very possible that it will want the GGE to continue tackling this topic.

The GGE/OEWG/PoA saga continues to be convoluted. The GGE’s fate will be decided in September 2021. The OEWG will last until 2025 with the first substantive session planned for 13-17 December 2021. The proposal for the PoA is not elaborated in detail yet, and many countries think that the OEWG is the best venue to do so.

Should the UNGA decide to renew the GGE in September, then we will have two parallel processes (OEWG and GGE), and a process discussed within a process the -PoA within the second cyber OEWG.

The session in numbers

The EU delivered a statement on behalf of its member states, and 34 delivered statements in their national capacity. In total, 35 delegations participated in this session, which is just a bit over half from the previous OEWG session.

The visualisation below shows that European countries were the most present, as were the high-income and upper-middle income economies.

It would be too early to predict that other regions are intent not to participate in the process, or that this is a process of the rich and bored since one of the biggest cyber superpowers was absent: the USA. In order to be as successful as the first OEWG, prove its relevance as the multilateral forum for discussions on security in cyberspace, and remain the forum to clarify the positions of states, the participation of main players is essential.

What’s next for the second cyber OEWG?

The second cyber OEWG will hold 11 substantive sessions during its 5 year mandate. The first substantive session will be held between 13–17 December 2021. In the six months between now and the first session, the chair and the delegations will discuss the following questions:

• How should annual progress reports be put together?
• Are there any elements from the previous working group on which the second OEWG should work on?
• Which state initiatives aimed at the secure use of ICTs does the second cyber OEWG need to consider?
• How to enhance the participation of stakeholders while prioritising consensus?
• Are thematic groups necessary for conducting thematic discussions? If so, how and when should they be established?

However, questions will be addressed in informal discussion; underlining that this is, in the end, a state-driven process. It will be up to the chair to keep the process as transparent as possible, and to keep interested independent observers and stakeholders appraised.

Otherwise, it will be a step back from the democratic and inclusive reputation of the process.