OEWG adopts third annual progress report (APR)

The 8th substantive session of the Open-ended Working Group (OEWG) on security of and in the use of information and ICTs 2021–2025 was held 8-12 July, during which the OEWG adopted its third annual progress report (APR). Here is a quick summary of the discussions.

Existing and potential threats. ​​Delegations noted that the APR effectively captured the concerns raised during this year’s meetings. This is the first APR (of three) that addresses AI concerns, including new vectors, the exploitation of vulnerabilities, and data used for AI model training, emphasising the potential risks of autonomous cyber attacks. The report detailed ransomware and cryptocurrency theft threats more thoroughly than last year, though Nicaragua and Russia questioned their relevance to international peace and security. Discussions on critical infrastructure protection led to a compromise, balancing specific examples of critical infrastructure with respecting each state’s authority to define its critical sectors.

Norms, rules, and principles of responsible behaviour. States discussed whether there is a need to develop new norms or to implement existing ones. A chair’s proposal for a list of practical steps to implement voluntary, non-binding norms of responsible state behaviour (checklist) was also discussed. Most states welcomed the chair’s proposal for a checklist annexed to the APR, with the understanding that it should serve as a living voluntary document adaptable to national contexts. Some states mentioned that more time is required to study the checklist; therefore, the proposal could be postponed until the following year’s work cycle.

International law. Some countries believe that existing international law doesn’t apply to cyberspace due to its unique attributes, and they are calling for a completely new legally binding document. To bridge the gap between differing opinions, the APR notes that states will consider whether any gaps exist in how existing international law applies in using ICTs and consider the development of additional legally binding obligations if appropriate. Many delegations were disappointed that the APR omitted the application of international humanitarian law (IHL) during armed conflicts and references to due diligence and scenario-based exercises.

Capacity building. The APR highlights capacity-building as essential for developing political and institutional resources to enhance resilience and facilitate digital transformation. The high-level roundtable discussion held in May was commended, along with the proposal to institutionalise these roundtables. Delegations welcomed the secretariat’s proposal to establish a voluntary fund to support the capacity building for states on security and ICT use. Still, they raised concerns about duplication with existing funding structures. Support was expressed for proposals for the global cybersecurity portal and capacity-building catalogue. There was also consensus on the importance of gender-responsive capacity-building efforts.

Confidence building measures (CBMs). The launch of the Global Points of Contact (POC) Directory and its online portal in May 2024 marked the concretisation of CBMs and a key achievement for the OEWG process. States reaffirmed their support for a step-by-step approach to CBMs, the need to implement the POC directory, and the already agreed CBMs before considering whether further tools were needed. New global CBMs have nevertheless been discussed, including common terminologies and standardised templates to facilitate communication. Most states appreciated the significant experience regional organisations hold and how their best practices could inform the discussion of these new CBMs.

Regular institutional dialogue (RID). The OEWG’s mandate ends in July 2025, which means a new form of RID should be established under the UN auspices to discuss ICT security. The delegations agreed that this future mechanism should be single-track, permanent, and established by consensus. 

The functions and scope of this mechanism were in the spotlight, with countries building a laundry list of wishes. It was decided that the mechanism would strengthen ICT security capacity for all states; implement and further develop the existing framework for responsible state behaviour in ICT use; address existing and potential threats; address voluntary norms, while recognising that additional norms could be developed over time; study international law’s application to ICTs and identify any potential gaps in its application, and consider new legally binding obligations if appropriate; and develop and implement confidence-building measures and capacity-building initiatives.

The structure of the mechanism was also under heavy discussion. One substantive plenary session, at least a week long, will be held annually to discuss key topics and consider thematic group recommendations. States decided that thematic groups within the mechanism would be established to allow for deeper discussions. But, there was no agreement on the themes these groups should tackle. Some states warned that creating too many thematic groups would be challenging for smaller delegations to participate, making the groups noninclusive. The chair may convene intersessional meetings for additional issue-specific discussions. A Review Conference every five years will monitor the mechanism’s effectiveness, provide strategic direction, and decide on any modifications by consensus. 

Another tricky question was the modalities of stakeholder engagement with the mechanism. Some states consider the ad-hoc committee on cybercrime modalities for stakeholder engagement to be the gold standard, where stakeholders attend any open formal sessions of the ad hoc committee, make oral statements, time permitting, after member states’ discussions, and submit written statements. Other countries caution that the OEWG’s own much-discussed modalities should be applied because they are the hard-won result of delicate compromise. This issue was ultimately deferred to the group’s next meeting.