Discord and diplomacy: reviewing outcomes from the UN’s cyber working group

The United Nations’ Open-ended Working Groups (OEWGs) devoted to issues of international cyber security have seen their fair share of ups and downs. The first iteration of the Group (2019 – 2021) had to adapt to the challenges of pandemic-era virtual meetings and hybrid negotiations. The second and current Group (2021 – 2025) got off to a rocky start due to deadlock over the modalities for non-governmental stakeholder participation in OEWG sessions. Yet the challenges that arose during the Group’s most recent substantive session, held in New York from 24-28 July 2023, feel weightier. The main point of contention – the need for legally binding obligations – is one that underlies much of the UN’s history of addressing responsible state behavior in the use of information and communications technology (ICT). After being somewhat dormant in recent years, the debate is again simmering to the surface – and is one with profound implications for efforts to advance cyber accountability.

“Footnote Diplomacy”

The primary objective of the fifth session was to adopt an annual progress report (APR). Following an Overview section, the APR mirrors the six standing agenda items that the Group discusses and within each, outlines the nature of what has been discussed since the last report and sets out agreed upon next steps. In this way, the APRs function as a roadmap for work in the upcoming year but also capture important lines of argument and indicate priority issues. As such APRs also have the potential to layer upon one another in a build up to larger substantive outcomes by the time the Group concludes its work in 2025.

Which is where the current controversy comes in. Earlier this year, Russia and a group of states (Belarus, Democratic People’s Republic of Korea, Nicaragua, Syria, and Bolivia) submitted an updated version of an earlier concept note for a UN Convention (aka, a legally binding instrument) on ensuring “international information security”.  Some may recall that this is not a new aspiration of Russia, who has often called for a legally binding instrument or legal measures in earlier OEWG meetings and several years ago, jointly tabled a draft convention; some experts have also speculated that Russia created the OEWGs as a platform by which to eventually create a treaty. Meanwhile, a majority of UN member states, particularly Western countries, do not want legally binding measures and feel the current UN Framework (which consists of the application of existing law, confidence-building measures, and the voluntary UN cyber norms) is sufficient, or are reluctant given the time and resources required to negotiate a treaty. Moreover, most are skeptical about the contents of the concept note and its proposed convention.

In the course of debating the APR draft text during the fifth OEWG session in July, the extent to which these calls and the concept note would be reflected in the text became an issue. This was mainly in relation to the report’s sections that correspond with the Group’s work on the applicability of international law and on “regular institutional dialogue”, which is meant to debate how the UN will continue its work on OEWG issues in the future. Treaty-supporting countries wanted more references to legal measures, a legal instrument, and/or the concept note on a convention whilst others sought to minimize such references, including in relation to how much airtime will be given over to discussing legal measures during future OEWG sessions. In this context, a few countries also disputed if the OEWG has a mandate to discuss the implementation of the 11 voluntary norms that were developed through earlier UN Groups of Governmental Experts (GGEs) – an assertion that felt ludicrous to others, given that these groups are the precursors to the OEWGs and the norms are understood as a foundational part of the UN Framework.

The push for legally binding measures is also coming into conflict with the proposal to create a politically binding instrument (a UN Cyber Programme of Action, or Cyber PoA), which has more supporters amongst Member States and is in a very initial phase of diplomatic consideration, following the adoption of UNGA resolution 77/37 in 2022. It is possible that Cyber PoA momentum is what has spurred recent action to make progress on a convention. Over the last year, interested Member States have submitted their views on the scope, structure, and content of a possible Cyber PoA and many have engaged in regional consultations, some of which also made space for views from civil society, academia, and business. Given that this process is further along and enjoys higher numbers of formal support amongst Member States, it was unacceptable for many that the proposal on legal measures be given equal treatment as the Cyber PoA proposal.

Because the APRs are adopted by consensus – which is almost always interpreted to mean unanimity in the UN – these opposing views came to a diplomatic stand-off during the final day of the fifth session. Most Member States expressed readiness to accept the final draft APR as presented by OEWG Chairperson Burhan Gafoor of Singapore, even while highlighting specific shortcomings in the text and disappointment over various omissions or changes.

Russia and a group of states said they could not accept the draft, however, insisting on the insertion of a reference to their concept note.  Russia also referred to the Declaration of the Second Russia–Africa Summit on Cooperation in the Field of International Information Security adopted earlier that day, and in particular its reaffirmation of “the key role of the UN in further developing rules, norms, and principles of responsible behavior of States in the use of information and communications technologies, including through the establishment of international legally-binding instruments and their implementation by UN Member States within agreed framework.” In the Declaration, Russia and African states acknowledge “the need to elaborate under the UN auspices effective and universal legally-binding instruments on the security of and the safe use of information and communications technologies and the prevention of computer attacks against civilian infrastructure.” Presumably, this was done to demonstrate that there is wider and official support for legal measures than may be evidenced by endorsers of the UN concept note.

With the OEWG Chairperson calling for a suspension of the meeting to find a way forward, it felt as though a consensus report was out of grasp. Toward the end of the day, however, the Chair presented a solution that involved the insertion of two footnotes.  The first was added to paragraph 32 (which is about the possibility of additional legally-binding obligations) and referred to the proposal that was made in this regard (i.e. the concept note), and which is included in an Annex that contains all proposals made in the last year of work. The second footnote was added to paragraph 58, which focuses on the PoA proposal and references a report of the UN Secretary-General about the scope, structure, and content of a future PoA (A/78/76). This arrangement was acceptable to Russia and others in the group statement, and as such the text was adopted with these oral amendments and “footnote diplomacy” as described by Greece.¹The final adopted version of the APR including oral amendments will be available on the OWEG website later this summer, and submitted to the UNGA during the First Committee session in October.

Consequences of Consensus

But consensus comes with consequences, particularly when it is wielded as a veto. This often means that if even one state objects to something, then consensus is seen to be broken—even if all the other Member States are in agreement on the point in question. This usually has the effect of watering down final reports and outcome documents in an effort to find a compromise. In its closing remarks, Canada warned against using consensus as a bullying tactic to block progress.

While a consensus report is not perfect it is an important step forward, as India observed in its final remarks. The adopted APR does outline multiple decisions and next steps that can be considered concrete and actionable, which has been a priority for the OEWG Chair since taking the helm in 2021. Some are described in the section below. Moreover, participation in the OEWG continues to deepen and mature with ever more substantive proposals being tabled including from ever more diverse Member States. As its participants are fond of stating, the Group plays a role as a confidence-building measure by enabling dialogue and building trust.

Fostering Accountability?

In a world where trust and confidence feel ever more precious, and multilateralism ever more necessary, this cannot be understated. But in a world where there are also ever-evolving cyber threats, harms, and aggression, the need for impactful action can also not be understated. Accountability to existing international law and norms – for both compliance with and instances of violation – is imperative.

The next phase of the OEWG and broader developments in the UN system on cyber accountability will be relevant to the Stimson Center’s work in this area. Just prior to the OEWG session, UN Secretary-General Antonio Guterres released a Policy Brief on A New Agenda for Peace in which he calls for an independent multilateral accountability mechanism for the malicious use of cyberspace. Accountability was also featured in a recent UN Security Council Arria-formula meeting on cyber operations targeting critical infrastructure. In the context of the OEWG, discussions about norms implementation and the applicability of law are vital for improved accountability – and as our work has shown, capacity-building is foundational for accountability.

A legally binding instrument would in theory be a critical vehicle for improved accountability but the one proposal on the table raises more alarms than assurances in this regard and the appetite to negotiate is extremely low, not least given the current geopolitical climate. The PoA, as a politically binding instrument, offers a valuable middle ground in this respect. It could also be pivotal for the implementation of the Framework but much depends on how the instrument is designed, should a negotiation process even begin.

OEWG Outcomes and Highlights

While the dispute over legal measures may have stolen the show it is by no means the only matter of substance that will be important for the Group’s work going forward. Below is a brief overview of some other key outputs for OEWG-watchers to stay abreast of:

• Over the last year Member States and stakeholders have been discussing a proposal to create a UN Global Points of Contact Directory. Along the way, many states have outlined concerns about duplication of existing directories, the capacity to maintain it, and differing ideas about a PoC mandate (technical versus political). As part of the APR, states adopted a paper (“Elements for the Development and Operationalization of a Global, Intergovernmental Points of Contact Directory” Annex A of APR) as the next step in operationalizing the Directory. Its further operationalization and utilization will be discussed in future meetings.
• The OEWG’s discussion about cyber threats continues to mature and specify and this is reflected in the APR, although high levels of concern around the relationship between cyber security and artificial intelligence, and quantum computing, were omitted as was an earlier reference to spyware. Notable also is the recognition of the cascading effects of operations targeting critical infrastructure (CI) and critical information infrastructure (CII); impacts on electoral processes and the use of covert information campaigns; and recognition that ICTs have already been used in conflicts in different regions.
• Earlier this year Kenya had proposed creating a repository for cyber threats. Ultimately this did not garner enough support to be endorsed.
• An earlier proposal to develop a glossary of technical ICT terms and terminologies that could assist States in developing common understandings of rules, norms, and principles was omitted from the final version. However, in the section on confidence-building measures (CBMs), states are encouraged to voluntarily share national views on technical ICT terms and terminologies to enhance transparency and understanding.
• Earlier language that would have encouraged more robust discussion about norms implementation and the elaboration of guidance for doing so was slimmed down in the final version of the APR, and the suggestion of future discussion on possible new norms was removed. States are now requested to elaborate additional guidance, including a checklist, on the implementation of norms, and the OEWG Chair is requested to produce an initial draft of such a checklist for consideration by States.
• Ireland, Costa Rica, Finland, and New Zealand published their national views on the applicability of international law in the second half of July. These are available on the OEWG website as well as the Cyber Policy Portal. Publication of such views is an activity that has been recommended by the OEWG process throughout; approximately 30 countries have done so to date.
• Three dedicated inter-sessional meetings are requested to take place in the coming year to discuss threats; rules, norms, and principles; and the applicability of international law.
• A German-led suggestion for a more active reference to the applicability of international human rights law (IHRL) to state behavior in the use of ICTs was not included in the final APR, although IHRL remains among the open list of topics proposed by States for further discussion under international law. During the session, there was pushback on references to human rights and/or IHRL.
• There was also pushback to the language on gender from a few states. Gender references are more mainstreamed in this APR than its predecessor or any other OEWG outcome document to date, appearing in the introduction, threats, and capacity-building sections. The section on capacity-building reflects the evolution of striving for “gender-sensitive” cyber capacity-building versus “gender-responsive”.
• There are several next steps included in the capacity-building section, including a mapping exercise to be led by the UN Secretariat, and culminating in a report; an inter-sessional Global Roundtable meeting on ICT security capacity-building; and continued discussion of India’s proposal to create a Global Cyber Security Cooperation Portal, particularly on how to synchronize such a portal with existing similar efforts. Generally, there are growing calls from states and stakeholders to better integrate cyber capacity-building within socio-economic development efforts.
• The role and participation of non-governmental stakeholders is integrated throughout the APR and in reference to future meetings, although in a few instances, there are qualifiers.
• States agreed in principle on common elements for regular institutional dialogue.

Notes

• 1
  The final adopted version of the APR including oral amendments will be available on the OWEG website later this summer, and submitted to the UNGA during the First Committee session in October.