UN OEWG 2021-2025 – Rules, norms, and principles of responsible state behaviour in cyberspace

Event report

Session 5 of the second substantive session of the OEWG 2021-2025  dealt with the rules, norms, and principles of responsible state behaviour in cyberspace (norms). Like previous sessions, it was held in an informal mode as a working group. Delegations presented different opinions on whether there is a current acquis based on the work and cumulative 2010, 2013, 2015, and 2021 GGE reports and the 2021 OEWG report, and whether new norms and legal instruments need to be elaborated.

Argentina, Austria, Australia, Brazil, Canada, Chile, Costa Rica, Estonia, France,  Germany, Japan, Kenya, the Netherlands, Portugal, the Republic of Korea, Singapore, the United Kingdom, the United States of America, Uruguay, Vietnam, the European Union and its member states, the candidate countries, North Macedonia, Montenegro, and Albania, the country of stabilisation and association process and potential candidate, Bosnia and Herzegovina, as well as Ukraine, the Republic of Moldova, Georgia, and San Marino (EU), stated that the adoption of 2010, 2013, 2015, 2021 GGE and 2021 OEWG consensus reports provides an acquis, is the basis for the work of the OEWG 2021-2025, and has reaffirmed a set of foundational norms of responsible state behaviour in cyberspace. These delegations voiced the opinion that discussions at the current OEWG should be focused on the implementation of the existing norms and the guidance on how to proceed with such implementation.

Based on 2015, 2021 GGE and 2021 OEWG reports, which guide UN member states to review the steps taken to implement the recommendations of the reports, identify barriers to implementation and specific capacity gaps that limit implementation, Australia collectively with Argentina, Canada, Chile, Denmark, Estonia, France, Indonesia, Kenya, Mexico, the Netherlands, New Zealand, Pacific Islands Forum member states, Poland, and South Africa presented an online national survey tool. This tool aims to help states determine the implementation of norms, contribute to accountability, share best practices, and serve as a global point of contacts (PoC) directory. Australia proposed that the OEWG recommends that states use the survey to voluntarily self-assess the implementation of norms and recommendations. This tool, under the UNIDIR Cyber Policy Portal, was also supported by many delegations at Session 6 dedicated to international law.

The Netherlands, the USA, Estonia, and the UK pointed out the importance of safeguarding the public core of the internet and internet freedom, with an emphasis on the rights to access information, freedom of expression, peaceful assembly and association online.

Regarding specific norms that deserve the attention of the OEWG at this time, the EU, France, Germany, the Republic of Korea, Switzerland, and Vietnam highlighted due diligence obligations in norm 13c of the 2015 UN GGE report (states should not knowingly allow their territory to be used for internationally wrongful acts using ICT). 

Haiti, the Netherlands, Kenya, Malaysia, Portugal, Switzerland, Ukraine, and Uruguay pointed out the importance of the protection of critical infrastructure (norm 13f). Singapore also stressed the importance of critical infrastructure in maintaining the integrity of political and electoral processes. China welcomed the discussion on defining and protecting critical infrastructure based on the principle of sovereignty.

Haiti and the USA recalled norm 13b on attribution, with the USA emphasising its importance in the context of public attribution of state-sponsored malicious cyber activities. China stated that in the investigation of cyber incidents, any conclusion should be supported by complete and sufficient evidence. According to China, the publication of attribution conclusions will aggravate misunderstanding and miscalculation among states and even lead to confrontation. 

Norm 13i on the integrity of supply chains was stated to be of utmost importance by India, France, El Salvador, Switzerland, and Malaysia. China called for the adoption of consensus on the development and implementation of rules and standards for supply chain security.

Iraq and Nicaragua, on the other hand, pointed out that the norms in paragraph 13 of the 2015 UN GGE report and its recommendations are insufficient and should be revisited.

Speaking about the development of new norms, South Africa and Kenya stated that the development of new norms should not detract from the implementation of the existing norms. Further development of norms, rules, and principles should be understood as a process of evaluating and updating where necessary and refining rather than seeking to develop a completely new set of norms.

India stated that the norms in the existing form need a complementary framework to outline the mechanisms of cooperation, information exchange, trust-building initiatives, and sharing of best practices. The OEWG should consider building an additional layer of understanding on the existing norms and may develop additional ones on an as-needed basis. Egypt suggested the development of a compilation document that would include the agreed norms and recommendations and relevant processes with a focus on identifying gaps and overlaps and developing binding rules that reflect the ICT environment and differentiated capacities of member states. 

On behalf of the Non-Aligned Movement, Indonesia pointed to the need for indicators and parameters to measure the level of effectiveness of the implementation of norms by using a voluntary national survey.

Vietnam expects that the OEWG  will discuss the development of an international framework of rules and norms in line with international law. Vietnam stated that in the meantime, all states should observe the widely acknowledged norms, including those developed within the GGE processes. Pakistan believes that adherence to the norms is contingent upon equipping member states with skills and technologies and clearly defining the modalities for the implementation, while the goal should be a new binding legal instrument.

Belarus, China, Cuba, El Salvador, the Islamic Republic of Iran, Nicaragua, and the Russian Federation stated that the current norms are not sufficient and need further discussion and development through the work of the OEWG. According to these states, the outcomes of the GGE reports and 2021 OEWG Report (Chair’s Summary) serve as guidance for clarifying and elaborating the norms. 

China, Cuba, El Salvador, the Islamic Republic of Iran, Pakistan, and the Russian Federation are calling for a new binding legal instrument to govern responsible state behaviour in cyberspace. The Russian Federation suggested developing a UN convention on international information security. China pointed out their proposal on the Global Initiative on Data Security as a blueprint for possible global rules.

The proposed Programme of Action as a permanent and inclusive platform for the implementation of current norms and capacity development was supported by Argentina, Canada, Chile, Egypt, the EU, France, Germany, Japan, Jordan, Switzerland, and Ukraine. Delegations reiterated the importance of regional engagement through a variety of forums, such as the Arab League, ASEAN, the OAS, the GFCE, and ITU.