A new permanent cybersecurity forum at the United Nations is currently in the works – the so-called ‘global mechanism’ for cybersecurity. This follows from the work of the now-concluded 2021-2025 open-ended working group (OEWG) for cybersecurity and is good news. Cyber diplomacy forums are scarce, and a permanent mechanism prevents valuable discussion time from being spent debating the modalities of a successor forum. A single-track forum also prevents the UN cybersecurity dialogue from bifurcating, as was the case between 2019 and 2021 – this was problematic because many states lack the resources to cover two parallel processes.
Although the creation of the global mechanism is a step in the right direction, the OEWG’s final report also provides ample grounds for criticism: it contains only weak references to international law and the new mechanism will lack focused discussions and meaningful stakeholder participation. While the modalities laid out in the report of how the new mechanism will function are problematic, there is still room for committed cyber diplomats to make this mechanism more productive.
Weak on international law
UN cybersecurity reports are a vehicle for strengthening and further developing international law – if they reference relevant bodies and provisions of law. In this respect, the OEWG report falls short: it only mentions that states discussed international humanitarian law and might discuss international human rights law. A group of states proposed substantial language on, for example, how international humanitarian legal protections for civilians apply to cyber operations, but this proposal did not make it into the report.
This shortcoming is all the more concerning given that the report makes reference to Russia’s long-standing push for a UN cybersecurity convention, which – if it comes to fruition – would likely further erode previously consensual international law provisions.
Besides, the report makes little progress toward implementation of the remaining pillars of the so-called framework of responsible state behaviour – the set of international law, norms, and capacity-building and confidence-building measures that govern the use of information and communication technologies by states. Cyber norms remain unimproved and the proposals on cyber capacity-building risk duplicating existing efforts. Among the set of proposed cyber confidence-building measures, most refer to activities that would also take place otherwise, like the continuous exchange of views and sharing information on good practices – and the remaining one again risks replicating existing activities.
Little room for issue-specific discussions
The second criticism of the final report concerns the structure of the global mechanism, which allows for little thematic focus in discussions. The mechanism will consist of a plenary session, open to all UN member states, as well as two working groups. If previous OEWGs are any indication, plenary sessions will be well-attended, with long lists of speakers who read out prepared statements addressing a laundry basket of agenda items. This setup is not conducive to making meaningful progress on pressing cybersecurity problems.
The working groups, meanwhile, were originally supposed to focus on individual issues, allowing states to focus their participation, and creating a less crowded, informal setting. One working group, on cyber capacity-building, holds true to this idea. However, the other – titled ‘specific challenges in the sphere of ICT security in the context of international security’ – is, despite the name, overly broad and will likely become a second plenary with no room for issue-specific discussions.
Obstacles to meaningful stakeholder participation
The role of non-state stakeholders – from academia, business, and civil society – in UN cybersecurity discussions has been hotly debated for years. While many Western states are convinced that stakeholder expertise is a great asset to discussions, the group of states aligned with China and Russia views them as unnecessary for a state-centric process.
Although the modalities for participation of non-state actors in permanent mechanisms are slightly better than those for OEWGs, one big obstacle remains: single states can veto the participation of stakeholders they deem undesirable – a prerogative that Russia has used extensively. During the OEWG process, states and stakeholders (including the author) proposed removing the veto right, giving stakeholders a right to speak during each session, creating a hybrid participation option, and facilitating swift decisions on accreditation. Only the last point made it into the final report.
The path to the global mechanism
Independent of these shortcomings, the road to the global mechanism is well-defined. At the end of 2025, Singapore – as the OEWG chair – will submit a resolution to the UN General Assembly containing the group’s final report and proposing the establishment of the global mechanism. This resolution will likely be adopted without a vote, as there will be no rival proposal. The mechanism will then hold its first session in March 2026, open to all states and (non-vetoed) stakeholders.
How constructive the forum will be will also depend which country will chair the mechanism during the first four years. Any candidate must be acceptable to Western countries as well as Russia and China, have sufficient resources in their ministry of foreign affairs, and, ideally, have previous cybersecurity policy expertise. Indonesia, Malaysia, Morocco, Qatar, or the United Arab Emirates fit this profile, and the fact that their regions have been underrepresented in UN cyber processes to date also makes them suitable candidates.
Diplomats should push for issue-specific discussions and meaningful stakeholder participation
Even if the starting conditions are not ideal, states committed to the framework and multistakeholderism can tweak the mechanism for the better.
First, diplomats should strive to make room for substantial discussions focused on individual cybersecurity problems. If states identify this as a priority in good time, the working group that currently mirrors the plenary could be adapted accordingly – but this requires a consensus that will be hard to achieve.
Alternatively, states could convene an ad hoc working group, which would not require consensus, so a majority of states would likely be sufficient. Finally, new working groups can be set by consensus at the first review conference, which will take place after four years. Considering these options, diplomats of like-minded states will need to coordinate closely among each other and reach out to other non-aligned states as well.
Second, diplomats committed to multistakeholderism should ensure that the expertise of academia, businesses, and civil society finds its way into the UN process. Here, too, the working groups provide an opening, as the report does not specify under what conditions non-state actors can participate. To interpret this as generously as possible, Western states should coordinate to provide the facilitator for one of the working groups. Such efforts are likely to be successful as the global mechanism chair will not come from a Western state – since China and Russia would not agree to this – and the UN is committed to the principle of equitable geographical representation.
In addition, states can sponsor stakeholders’ participation in sessions. They can also hold stakeholder consultations before and debriefs after sessions to gather input and disseminate discussion results. Crucially, such efforts should also involve the business community, which has been largely absent from the UN cybersecurity dialogue to date. Through such pragmatic steps, committed states can improve meaningful stakeholder involvement in the process.
Overall, the modalities of the new UN cybersecurity mechanism are far from ideal. Still, cyber diplomats committed to advancing the framework of responsible state behaviour should take the recommended steps to create a forum for meaningful discussions of the urgent and growing problems of cybersecurity.
Note: This is an adapted version of an op-ed published previously, in German, by Tagesspiegel Background Cybersecurity.
Read more on the OEWG process and controversies facing the global mechanism from Elaine Korzak.
Related Posts
