Four years ago, I covered the final session of the UN’s first-ever open-ended cyber working group, in March 2021. In an article about the session, I described how rare it was, at the time, to hear applause ring out in UN conference rooms following the group’s adoption of a final report by consensus, because of the highly challenging geopolitical landscape at the time. In 2021, delegations widely commended the adoption by the Group of a final report as a significant milestone and accomplishment for diplomacy and multilateralism, while also acknowledging the compromise required to get to an agreement.
By July 2025, four years and eleven sessions later, amid an even more challenging geopolitical landscape, the UN’s second open-ended cyber working group (hereafter, OEWG) adopted a consensus report on July 11. The adoption was met with ringing applause and similar sense of pride and relief in reaching this diplomatic accomplishment. In this case, the conclusion of the Group’s work also signals the end of an era of temporary UN bodies considering cybersecurity in the context of international peace and security. With the OEWG’s mandate ending, UN Member States agreed to establish a new and permanent “Global Mechanism” for its cybersecurity efforts which is intended to be focused more on practical action, less on dialogue alone. In an era where UN and multilateral frameworks feel increasingly undermined and at times, irrelevant vis-à-vis the more hands-on role that non-governmental actors play in creating, owning, and operating digital technologies, the Global Mechanism will need to demonstrate real-world impact and added value. How can it achieve that promise?
The Consensus Paradox
The diplomatic outcome of the OEWG was the adoption of a final report by consensus. Consensus decision-making is the UN standard, almost always interpreted as unanimity which unfortunately means that any one state can hold up progress by blocking adoption, regardless of the desire of the majority. As a result, agreements are often watered down or decisions postponed in order to get agreement in the moment.
In surveying the many analyses and statements published by state and non-governmental stakeholders alike since the OEWG ended, most view this outcome as a necessary success for multilateralism at a time when security agreements are unravelling and geopolitical relationships are in flux. Moreover, consensus was not a foregone conclusion for the OEWG – all of its recent annual progress reports were subject to high degree of last-minute negotiation, compromise, and ‘footnote diplomacy’, as the clock on each meeting wore down. That there are starkly different views across the UN membership on certain key substantive areas and on what form the Global Mechanism should take is no secret; these divergences had the potential upend the adoption of a report and subsequently, the establishment of a successor body.
More critical voices ask, but at what cost was consensus achieved? What was stripped out of the report to make it palatable to all?
There is a diplomatic adage, nothing is agreed until everything is agreed.’ It means that all components of an agreement are in balance with one another; changes or concessions in one part can affect and are linked to content elsewhere. The OEWG’s final report was revised three times and the final version greatly reduced from its zero draft in both word count, and ambition. Items once slated as recommendations or decisions, became instead topics for the Global Mechanism to continue debating.
The report’s section on international law is an example. Law became the most divisive of the OEWG’s agenda items because of a growing rift between countries who support the application of existing international law to their conduct in cyberspace and those such as Belarus, China, Cuba, Iran, Nicaragua, Russia and Venezuela, among others, that are pushing back on the applicability of existing law, and have always challenged the relevance of international humanitarian and human rights law, in order to advance a new binding cyber treaty. To achieve balance between those viewpoints, the zero draft of the final report included references to proposals for a new treaty as well as on IHL and the applicability of existing legal principles. In the final version, previously agreed-upon language that had reaffirmed international law’s applicability was stripped away alongside references to an ICRC consensus resolution that many states supported as a good foundation for future work in this area. This was done in to balance requests to remove reference to the proposal for a treaty. Many countries also wanted the report to create a Dedicated Thematic Group on International Law as part of the new Global Mechanism but because of concerns that this could become a vehicle for creating a new cyber treaty, it was effectively vetoed out, limiting the Global Mechanism capacity to address this topic with greater precision.
Likewise, the related report section on Rules, Norms and Principles initially set out to see the adoption of an annexed Voluntary Checklist for Norms Implementation but it too was left off, likely as part of a compromise around new language and actions concerning the development of new norms. The checklist would have complemented one already developed by ASEAN and aided states in meeting their normative commitments. Tools like this are something that the Stimson Center has long suggested in order to improve accountability and such normative commitments more tangible.
Process As Progress?
It’s important not to look at the report as the only barometer for a process’s success, even as it sets the foundation for future work. The last four years, building on the two years of the prior OEWG, facilitated significant dialogue among the UN membership that previously did not exist, and that no other multilateral forum can provide. For all its faults, the UN is the only venue where countries with significantly different perspectives engage with one another, including through advancing proposals that were not ultimately adopted by consensus but enjoyed widespread support. Some of the most active and vocal countries in the OEWG are from Global Majority countries, which constitutes a significant shift to a more pluralistic approach to ICTs.
This OEWG further established a global intergovernmental points of contact directory, endorsed eight voluntary confidence-building measures and convened an inaugural UN Global Roundtable on ICT Capacity Building in May 2024. Dozens of side events and panel discussions on the margins of formal meetings have been informal venues for launching reports and exchanging knowledge; especially valued by non-governmental stakeholders unable to gain accreditation to formal sessions. Over the duration of the OEWG, its discussions about cyber threats became more finely nuanced to real-world realities.
Discussion in OEWG sessions facilitated work outside of sessions. More than 35 states, including most recently Colombia, South Korea, and Thailand, and the African Union as a region, have published national interpretations of how international law applies to their conduct in cyberspace, an effort supported by non-governmental legal experts and other organizations, and buoyed along by the OEWG’s encouragement of this activity through its own deliberations on the topic.
Another development was the growth in women’s participation in OEWG meetings due largely to a successful Women in Cyber Fellowship program that enabled opportunities for women from diverse countries to participate meaningfully, achieve gender parity in participation and statement delivery at several meetings, and better integrate gender perspectives into international cybersecurity discussions.
From Words to Work
With the OEWG now in the rearview mirror, what is next for UN cyber governance? The new Global Mechanism (formally titled the “Global Mechanism on Developments in the Field of ICTs in the Context of International Security and Advancing Responsible State Behaviour” which is a literal merging of two title suggestions from France and Russia, respectively) will have its first organizing meeting in March 2026. In an effort to create space for more focused and technical discussions, it will convene two thematic groups each year as well as an annual plenary meeting, plus review conferences every five years. The thematic group approach satisfies the vision of a previously proposed Cyber Programme of Action, which sought to move UN cyber efforts into a more action-oriented mode of work. Some fear that it presents an overly complicated structure, without enough direction, and may duplicate other efforts, and that resourcing is an issue. Much depends on which country will chair the Global Mechanism.
A recent joint Stimson Center-ORF America roundtable discussed how the Global Mechanism can move from talk to action. Many see potential from the two dedicated thematic groups, although recognized these need more precision in their mandates. The modalities for non-governmental stakeholder access are somewhat improved but not perfect, so ensuring that expert voices can inform discussions in a meaningful and timely way is important. Greater interactivity, greater focus, and deliberations that are well-grounded in the realities of cyber threats and existing initiatives can also move the needle from talk to real solutions. Concrete accountability mechanisms and measurable real-world outcomes can help multilateral processes avoid becoming talk shops alone or provide diplomatic cover for inaction.
Cyber diplomacy risks becoming trapped in an endless cycle of consensus-building and procedural debates, as cyber threats continue to devastate critical infrastructure, disrupt democratic processes, and harm civilians worldwide.
In closing remarks delivered at the final session of the first OEWG in 2021, a state said, “Ultimately, success depends not on the report but on our collective determination to implement the commitments made today.” Much like the applause and enthusiasm, this realization should prevail in 2025 – and beyond.
Cyber Diplomacy 2.0: From Process to Impact
By Allison Pytlak
Emerging Technology
After five years, the UN’s working group on cybersecurity has completed its mandate and established a new permanent mechanism to take forward UN work in this area. Many involved are hailing the outcome of the final session as a success for multilateralism and diplomacy. In 2025’s charged geopolitical environment, gaining consensus agreement is indeed a win – but with consensus always comes compromise. What does the final report of the working group contain, and omit, and how can the new mechanism be more action-oriented than its predecessor?
Four years ago, I covered the final session of the UN’s first-ever open-ended cyber working group, in March 2021. In an article about the session, I described how rare it was, at the time, to hear applause ring out in UN conference rooms following the group’s adoption of a final report by consensus, because of the highly challenging geopolitical landscape at the time. In 2021, delegations widely commended the adoption by the Group of a final report as a significant milestone and accomplishment for diplomacy and multilateralism, while also acknowledging the compromise required to get to an agreement.
By July 2025, four years and eleven sessions later, amid an even more challenging geopolitical landscape, the UN’s second open-ended cyber working group (hereafter, OEWG) adopted a consensus report on July 11. The adoption was met with ringing applause and similar sense of pride and relief in reaching this diplomatic accomplishment. In this case, the conclusion of the Group’s work also signals the end of an era of temporary UN bodies considering cybersecurity in the context of international peace and security. With the OEWG’s mandate ending, UN Member States agreed to establish a new and permanent “Global Mechanism” for its cybersecurity efforts which is intended to be focused more on practical action, less on dialogue alone. In an era where UN and multilateral frameworks feel increasingly undermined and at times, irrelevant vis-à-vis the more hands-on role that non-governmental actors play in creating, owning, and operating digital technologies, the Global Mechanism will need to demonstrate real-world impact and added value. How can it achieve that promise?
The Consensus Paradox
The diplomatic outcome of the OEWG was the adoption of a final report by consensus. Consensus decision-making is the UN standard, almost always interpreted as unanimity which unfortunately means that any one state can hold up progress by blocking adoption, regardless of the desire of the majority. As a result, agreements are often watered down or decisions postponed in order to get agreement in the moment.
In surveying the many analyses and statements published by state and non-governmental stakeholders alike since the OEWG ended, most view this outcome as a necessary success for multilateralism at a time when security agreements are unravelling and geopolitical relationships are in flux. Moreover, consensus was not a foregone conclusion for the OEWG – all of its recent annual progress reports were subject to high degree of last-minute negotiation, compromise, and ‘footnote diplomacy’, as the clock on each meeting wore down. That there are starkly different views across the UN membership on certain key substantive areas and on what form the Global Mechanism should take is no secret; these divergences had the potential upend the adoption of a report and subsequently, the establishment of a successor body.
More critical voices ask, but at what cost was consensus achieved? What was stripped out of the report to make it palatable to all?
There is a diplomatic adage, nothing is agreed until everything is agreed.’ It means that all components of an agreement are in balance with one another; changes or concessions in one part can affect and are linked to content elsewhere. The OEWG’s final report was revised three times and the final version greatly reduced from its zero draft in both word count, and ambition. Items once slated as recommendations or decisions, became instead topics for the Global Mechanism to continue debating.
The report’s section on international law is an example. Law became the most divisive of the OEWG’s agenda items because of a growing rift between countries who support the application of existing international law to their conduct in cyberspace and those such as Belarus, China, Cuba, Iran, Nicaragua, Russia and Venezuela, among others, that are pushing back on the applicability of existing law, and have always challenged the relevance of international humanitarian and human rights law, in order to advance a new binding cyber treaty. To achieve balance between those viewpoints, the zero draft of the final report included references to proposals for a new treaty as well as on IHL and the applicability of existing legal principles. In the final version, previously agreed-upon language that had reaffirmed international law’s applicability was stripped away alongside references to an ICRC consensus resolution that many states supported as a good foundation for future work in this area. This was done in to balance requests to remove reference to the proposal for a treaty. Many countries also wanted the report to create a Dedicated Thematic Group on International Law as part of the new Global Mechanism but because of concerns that this could become a vehicle for creating a new cyber treaty, it was effectively vetoed out, limiting the Global Mechanism capacity to address this topic with greater precision.
Likewise, the related report section on Rules, Norms and Principles initially set out to see the adoption of an annexed Voluntary Checklist for Norms Implementation but it too was left off, likely as part of a compromise around new language and actions concerning the development of new norms. The checklist would have complemented one already developed by ASEAN and aided states in meeting their normative commitments. Tools like this are something that the Stimson Center has long suggested in order to improve accountability and such normative commitments more tangible.
Process As Progress?
It’s important not to look at the report as the only barometer for a process’s success, even as it sets the foundation for future work. The last four years, building on the two years of the prior OEWG, facilitated significant dialogue among the UN membership that previously did not exist, and that no other multilateral forum can provide. For all its faults, the UN is the only venue where countries with significantly different perspectives engage with one another, including through advancing proposals that were not ultimately adopted by consensus but enjoyed widespread support. Some of the most active and vocal countries in the OEWG are from Global Majority countries, which constitutes a significant shift to a more pluralistic approach to ICTs.
This OEWG further established a global intergovernmental points of contact directory, endorsed eight voluntary confidence-building measures and convened an inaugural UN Global Roundtable on ICT Capacity Building in May 2024. Dozens of side events and panel discussions on the margins of formal meetings have been informal venues for launching reports and exchanging knowledge; especially valued by non-governmental stakeholders unable to gain accreditation to formal sessions. Over the duration of the OEWG, its discussions about cyber threats became more finely nuanced to real-world realities.
Discussion in OEWG sessions facilitated work outside of sessions. More than 35 states, including most recently Colombia, South Korea, and Thailand, and the African Union as a region, have published national interpretations of how international law applies to their conduct in cyberspace, an effort supported by non-governmental legal experts and other organizations, and buoyed along by the OEWG’s encouragement of this activity through its own deliberations on the topic.
Another development was the growth in women’s participation in OEWG meetings due largely to a successful Women in Cyber Fellowship program that enabled opportunities for women from diverse countries to participate meaningfully, achieve gender parity in participation and statement delivery at several meetings, and better integrate gender perspectives into international cybersecurity discussions.
From Words to Work
With the OEWG now in the rearview mirror, what is next for UN cyber governance? The new Global Mechanism (formally titled the “Global Mechanism on Developments in the Field of ICTs in the Context of International Security and Advancing Responsible State Behaviour” which is a literal merging of two title suggestions from France and Russia, respectively) will have its first organizing meeting in March 2026. In an effort to create space for more focused and technical discussions, it will convene two thematic groups each year as well as an annual plenary meeting, plus review conferences every five years. The thematic group approach satisfies the vision of a previously proposed Cyber Programme of Action, which sought to move UN cyber efforts into a more action-oriented mode of work. Some fear that it presents an overly complicated structure, without enough direction, and may duplicate other efforts, and that resourcing is an issue. Much depends on which country will chair the Global Mechanism.
A recent joint Stimson Center-ORF America roundtable discussed how the Global Mechanism can move from talk to action. Many see potential from the two dedicated thematic groups, although recognized these need more precision in their mandates. The modalities for non-governmental stakeholder access are somewhat improved but not perfect, so ensuring that expert voices can inform discussions in a meaningful and timely way is important. Greater interactivity, greater focus, and deliberations that are well-grounded in the realities of cyber threats and existing initiatives can also move the needle from talk to real solutions. Concrete accountability mechanisms and measurable real-world outcomes can help multilateral processes avoid becoming talk shops alone or provide diplomatic cover for inaction.
Cyber diplomacy risks becoming trapped in an endless cycle of consensus-building and procedural debates, as cyber threats continue to devastate critical infrastructure, disrupt democratic processes, and harm civilians worldwide.
In closing remarks delivered at the final session of the first OEWG in 2021, a state said, “Ultimately, success depends not on the report but on our collective determination to implement the commitments made today.” Much like the applause and enthusiasm, this realization should prevail in 2025 – and beyond.
Recent & Related