The UN open-ended working group (OEWG) on security of and in the use of information and communication technologies concluded in July its five-year mandate, issuing a consensus final report that, among other things, set up a new, permanent discussion forum under the auspices of the UN – the so-called ‘global mechanism’.
Though the OEWG was successful in reaching consensus and in keeping international cybersecurity discussions going through challenging geopolitical circumstances, the group ultimately failed to resolve key controversies among states that have characterised negotiations for more than two decades. These issues – new cyber norms, international law and its application, and the participation of stakeholders – will carry over to the global mechanism. Given the incremental progress that has been made thus far, it remains doubtful whether any substantive breakthroughs can be produced in this new forum.
What was the OEWG?
The cyber OEWG’s final report marked the end of a long string of ad hoc processes that have advanced cybersecurity negotiations at the United Nations for more than two decades. These processes – established to study particular issues for a limited time – included a total of six groups of governmental experts (GGEs) and two open-ended working groups.
Key parts of the 2021-2025 OEWG’s mandate were the UN’s international framework for responsible state behaviour in cyberspace and its elements, including (1) rules, norms, and principles of responsible behaviour of states; (2) how international law applies to the use of information and communications technologies by states; (3) confidence-building measures; and (4) capacity building. Importantly, the OEWG was also tasked with creating a follow-on process to continue this work, a defining feature of its negotiations.
OEWG outcomes
While the OEWG managed to adopt three annual progress reports as well as the final report, all by consensus, progress has been limited or incremental across the issue areas of the mandate. Agreement for new commitments or initiatives represented mostly low-hanging fruit rather than fundamental breakthroughs to long-standing controversies. For instance, addressing confidence-building measures, the group created an ‘Initial List of Voluntary Global Confidence-Building Measures’ as well as a ‘Global Points of Contact Directory’, both voluntary in nature.
In many instances, the final report referenced agreements or recycled language from reports of prior GGEs and OEWGs. The section on international law, in particular, did not yield substantive progress on the question of how international law applies to the use of information and communication technologies (ICTs) by states. The report mostly reaffirmed language that had been previously agreed to, though some states, such as Russia, even attempted to walk back some provisions on the application of international law.
The OEWG’s defining and lasting achievement was the creation of a new permanent mechanism to continue discussing ICT security under the auspices of the UN, named the ‘global mechanism’. This new mechanism marks a significant development in the history of UN negotiations, departing from the string of ad hoc GGEs and OEWGs to establish a permanent discussion platform under the First Committee of the UN General Assembly.
The global mechanism is a state-led process that will be structured around substantive plenary sessions, dedicated thematic groups, and dedicated intersessional meetings, as well as review conferences every five years. It will continue to focus on ICT security in the context of international security, and all decisions in the global mechanism will be based on consensus, meaning that all participating states need to agree.
While the creation of the global mechanism is notable, the 2021-2025 OEWG ultimately failed to resolve fundamental differences and disagreements among states that have characterised negotiations thus far. Instead, the discussions in the final substantive session of the OEWG showed that a number of key controversies persist. These will now be carried over into the new mechanism.
Challenges to meaningful progress ahead
As it faces the task of developing and implementing the framework for responsible state behaviour in cyberspace, the global mechanism will have to grapple with the following unresolved controversies:
First, states are fundamentally divided on the need for new or additional norms. Currently, the framework for responsible state behaviour contains 11 voluntary, non-binding norms for states. While like-minded states, including EU members, want to focus on the operationalisation and implementation of these norms, others are advocating for the inclusion of new norms.
This issue is closely tied to the question of whether an international legal agreement is needed to regulate state conduct in cyberspace. Russia, in particular, has been advocating for the negotiation of a convention on ‘international information security’ to cement a legal regime in line with its vision of cyberspace governance. However, states including the US and EU members have been adamant in their opposition, arguing that the framework for responsible state behaviour is sufficient to regulate state conduct. Negotiations have been shaped by these opposing views since their inception.
Second, the application of international law to state conduct in cyberspace, in particular the application of international humanitarian law, remains fundamentally unsettled. Though an increasing number of states have issued national positions on the application of international law in cyberspace – most recently Thailand – discussions in the UN still lack granularity with regard to the application of specific legal obligations (ie, the question of how international law applies to cyberspace).
Further, the inclusion of international humanitarian law in the OEWG final report has proved to be a particularly thorny issue; in the end, international humanitarian law was still not explicitly recognised as applying to conduct in cyberspace. Russia and China have objected to the inclusion of international humanitarian law for many years, arguing that any recognition of its applicability would result in a militarisation of cyberspace. States that view the subject differently have thus far failed in their efforts to include language intended to enhance the protection of civilians during armed conflict.
Third, the role of non-governmental stakeholders and their participation in UN proceedings remains controversial. Discussions around stakeholder participation were lengthy and politicised, holding up the negotiations of the 2021-2025 OEWG until a consensus was reached on provisions for how stakeholders can apply to attend formal meetings (so-called ‘stakeholder modalities’). Many non-governmental stakeholders seeking accreditation to attend the OEWG meetings throughout its five-year mandate were unable to participate, often due to a veto by a single UN member state.
Russia and China, in particular, have emphasised the state-centric nature of UN negotiation and have sought to restrict access by non-governmental stakeholders. In contrast, EU member states and other like-minded states have argued that non-governmental stakeholders provide unique and much-needed expertise in the area of ICT security.
While the creation of the global mechanism provides an opportunity for continuous and sustained engagement to discuss and implement the framework for responsible state behaviour in cyberspace, going forward, the mechanism will continue to face the same fundamental controversies among states that have characterised negotiations thus far. Given the entrenched views among states on the three issues outlined above, it remains doubtful whether the new permanent mechanism can break with previous negotiation dynamics and yield substantive progress on governing online behaviour in the coming years.
Read more about how cyber diplomats might be able to make the global mechanism more impactful from Alexandra Paulus.
Related Posts
