UN GGE and OEWG

What is the difference between GGE and OEWG?

Brief analysis on advantages and disadvantages of both GGE and OEWG is available in the Digital Watch Newsletter of January 2019.

Episodes of cyber warfare between states already exist. What is worse is that there is no regulatory scheme for that type of warfare, it is not clear how the Geneva Convention or international humanitarian law applies to it.

U.N. Secretary General Antonio Guterres, 2018

There is evidence from official documents and media coverage that countries are increasingly investing in defensive as well as offensive cyber-capabilities.

In 2004, the UN General Assembly has established the Group of Governmental Experts (GGE) to examine the impact of developments in ICT on national security and military affairs. Six GGEs have been convened – in 2004/2005 (A/RES/58/32), 2009/2010 (A/RES/60/45), 2012/2013 (A/RES/66/24), 2014/2015 (A/RES/68/243), 2016/2017 (A/RES/70/237), and 2019/2021 (A/RES/73/266). In addition, the UN General Assembly has also established the Open-Ended Working Group for 2019/2020 (A/RES/73/27).

• Members

• Selection and Composition

GGEs are composed “on the basis of equitable geographical distribution”. The five permanent members of the Security Council traditionally have a seat on all GGEs, and the remaining seats are allocated by UN regional grouping. States often send an official request for a seat on a GGE of particular interest to them, and might even lobby at the highest levels of the Secretariat for a place at the table. The Office of the High Representative for Disarmament has the task of proposing the Group’s composition to the Secretary-General, taking into account not only geographical and political balance, but a demonstrated interest in the topic, the number of times that a country has served on other GGEs, whether they are currently serving on a different GGE, etc. Occasionally a government might decline to participate in a GGE if it believes it lacks the personnel or expertise necessary for the work.

Once the countries have been identified, they are asked to nominate an expert to participate in the GGE. In almost all cases, these experts are government officials. There was a mix of experts in the early GGEs on information security, some with diplomatic and others with technical backgrounds. Over time, the composition of the experts has changed, as nations have moved to select experts with diplomatic, arms control, or non-proliferation experience. Experts from technical backgrounds can be “left behind” in the sometimes intense diplomatic negotiations that accompany a GGE.

Each GGE selects a Chair from among its members. A strong and skilful Chair is vital to the success of the group. The Russian Federation chaired in 2005 and 2010, Australia in 2013, Brazil in 2015 and Germany in 2016. While it is the experts who sit at the table (there are no “delegations”), some experts are accompanied by advisers. In the recent GGEs, legal advisers have been particularly common.

Source: UNIDIR's Report on the International Security Cyber Issues Workshop Series

• Procedures

The Group, guided by the Chair and shaped by the mandate included in the General Assembly resolution, largely determines its own agenda and work plan. Work, particularly commenting on drafts and informal consultations, is often conducted intersessionally.

Most GGEs meet for four one-week sessions. The Group holds its meetings in the UN format, sitting for six hours a day (from 10 a.m. to 1p.m., and then again from 3 p.m. to 6 p.m.), with simultaneous interpretation into all six official languages of the UN. The GGE’s meetings are closed and there are no publicly available meeting summaries. The closed door format is essential for the frank discussion that GGEs require to find agreement. Thus there are also no observers - whether representatives from other governments, non-governmental organizations, the private sector or international organizations such as the International Committee of the Red Cross. On more than one occasion it has been suggested that the International Telecommunications Union (ITU), the UN specialized agency responsible for developing technical standards for information and communications technologies (ICTs), might be invited to observe the group. However, the General Assembly mandates place the work of the GGEs squarely in the realm of international security and disarmament and thus not as a technical exercise.

The  UN Office  for Disarmament  Affairs serves as  the Secretary to the cyber GGEs.

Source: UNIDIR's Report on the International Security Cyber Issues Workshop Series

• Decision making

Decisions, including decision on the final Report, are made by consensus.

• Relations with other UN bodies and processes

That the GGE falls under the UN’s First Committee has important implications for how the Group interprets its mandate, by focusing and narrowing the scope of the task. The First Committee is a Main Committee of the General Assembly and is allocated agenda items on disarmament and international security. GGEs have decided after multiple discussions that issues that are not under the purview of the First Committee - such as espionage, Internet governance, development and digital privacy - are not the focus of the Group’s work. While terrorism and crime are important topics for understanding cybersecurity, previous GGEs have limited themselves to calling for greater cooperation among States, while deciding that detailed discussion of these topics and the development of recommendations for them is best done in other UN bodies.

Source: UNIDIR's Report on the International Security Cyber Issues Workshop Series

OEWG was established by the UN General Assembly in December 2018 (A/RES/73/27). OEWG is tasked to continue to develop the rules, norms, and principles of responsible behaviour of States, and discuss ways for their implementation, and to study the possibility of establishing regular institutional dialogue with broad participation under the auspices of the UN. Also included in the group’s mandate is a study of existing and potential threats to information security and possible confidence-building measures and capacity-building. Its composition is declared as open, allowing all UN member states that express a desire to participate. The OEWG will work on a consensual basis to develop its report, which is to be presented at the 75th UN session, in autumn 2020.

It started its work on 3-4  June 2019, with an organisational meeting that gathered representatives of almost 100 member states. Switzerland is chairing OEWG. OEWG will hold intersessional consultative meetings with the interested parties - business, non-governmental organizations and academia; applications of non-government organisations and private sector to attend in the meetings will be managed by UNODA, and approved on a “no objection” basis (i.e. no objections by the governments).

A number of issues have been at the centre of the UN GGE's debate, including:

• How to deal with issues that do not fall within the UN GGE's ambit but have an impact on the UN GGE's work related to cybersecurity work Internet infrastructure, content management, freedom of expression, privacy protection, digital economy, etc)

• What qualifies cyber-attack as 'use of force' and/or 'armed attack'

• Whether the protection of critical Internet infrastructure (for example, the DNS system) should be part of the work of the UN GGE

• Whether it is sufficient to apply existing norms of international law or there is a need to adopt new norms

• Whether cyberspace is a unique domain in international affairs

• How to apply state responsibility in digital issues

• What the responsibility of states should be with regards to acts of non-state actors against the cyber infrastructure of other states

• Whether the UN GGE should focus on disarmament and the de-militarisation of cyberspace or a more precise use of the law of armed conflict

• How to operationalise the norm of not attacking critical infrastructure in peacetime

• Whether digital critical infrastructure is a global public good

• How to ensure wider involvement in the UN GGE's work beyond limited membership (in particular how to involve developing countries)

• How to deal with the challenge of technical, legal, and policy attribution for cyber-attacks

• How to deal with the dual-use nature of cyber technology

• How to ensure effective communication with technical, business, and civil society communities.