UN OEWG and GGE
This page provides detailed and real-time coverage on cybersecurity and peace and security negotiations at the United Nations.
The use of cyberattacks by states – and, more generally, the behaviour of states in cyberspace in relation to maintaining international peace and security – is moving to the top of the international agenda.
Historically, as you can consult further down, the basis for cybersecurity at the UN was laid by the work of the UN Group of Governmental Experts (UN GGE) between 2004 and 2021. Currently, the focus is on the work of the UN Open-Ended Working Group (OEWG) on Developments in the Field of Information and Telecommunications in the Context of International Security.
In November 2022, the First Committee of the UNGA adopted a resolution on the programme of action (PoA) on cybersecurity, which proposes to establish a PoA as a permanent, inclusive, action-oriented mechanism after the OEWG 2021-2025 ends.
The following steps: The OEWG will hold its fourth substantive session on 6-10 March 2023 in New York, the USA.
For most recent updates, consult the menu to the right.
To learn more about risks of cyber conflict, global negotiations on cyber-norms and the framework of responsible behaviour, and cyber diplomacy, enrol on our Cybersecurity Diplomacy online course.
The current process - OEWG 2021-2025
In December 2020, the OEWG was renewed for 2021-2025 (A/RES/75/240). The OEWG started its second mandate (2021–2025) with the organisational session held in June 2021. After the three substantive sessions of the OEWG held in December 2021, April and July 2022, the main stumbling stone remains the participation of non-state stakeholders in the OEWG process. Despite tensions due to the war in Ukraine, some progress in confidence-building measures and capacity building was made. At the third substantive session, held in July 2022, delegations reached a compromise on the Annual Progress Report, which will serve as a roadmap for further negotiations.
The future process - PoA
Co-proposed by 40 states, a Programme of Action (PoA) for advancing responsible state behaviour in cyberspace would establish ‘a permanent UN forum to consider the use of ICTs by States in the context of international security’. The proposal suggests the PoA to be in a single, long-term, inclusive, and progress oriented format; its implementation and follow-up measures could be subsequently endorsed by the UN GA.
In November 2022, the First Committee of the UNGA adopted a resolution on the programme of action (PoA) on cybersecurity.
Framework of responsible behaviour (the acquis)
The term ‘acquis’ (a reference to the EU’s body of laws) which popped up in recent cyber negotiations, refers to the body of existing agreements. While it has quickly been adopted for informal discussions, there is still no clear understanding of everything it encompasses.
It does encompass:
All reports were adopted by respective resolutions of the UNGA by consensus of all states.
Additionally, other resolutions, such as those that established the GGEs and OEWGs on cybersecurity, also play a role, as states refer to some of them throughout negotiations. This particularly refers to the UNGA resolutions that established the OEWG in 2018 and 2020, since they do not entirely match GGE's reports, but rather reflect on other issues such as propaganda, and have procedural implications.
The timeline below shows when the aforementioned documents were adopted and what their most important points were.
Report of the UN GGE 2009/2010, which includes recommendations for:
- Further dialogue among States to reduce the risk and protect critical national and international infrastructure
- Confidence-building, stability and risk reduction measures
- Information exchanges on national legislation and strategies, and capacity-building measures
- The elaboration of common terms and definitions related to information security
- Capacity-building in less developed countries
Report of the UN GGE 2012/2013 (later adopted by the UN General Assembly Resolution A/RES/68/243), which includes:
- Recognition that international law, and in particular the UN Charter, applies to digital space
- Norms, rules, and principles on the responsible behaviour of States
- Reference that state sovereignty applies to the digital field
- The principle that states must meet their international obligations regarding internationally wrongful acts in cyberspace attributable to them
Report of the UN GGE 2015 (later adopted by the UN General Assembly Resolution A/RES/70/174), which includes:
- Principles of State sovereignty, the settlement of disputes by peaceful means, and non-intervention in the internal affairs of other States, applies to cyberspace
- Recognition that states must comply with their obligations under international law to respect and protect human rights and fundamental freedoms
- Agreement that UN should play a leading role in developing common understandings on the application of international law and norms, rules and principles for responsible State behaviour
- Other norms, rules, and principles on the responsible behaviour of States
- Confidence-building measures
- Invitation for international cooperation and assistance in ICT security and capacity-building
UN GA on OEWG resolution includes:
- Setting up the OEWG
- Welcoming a chosen set of norms enshrined in the GGE Reports of 2013 and 2015
Consult UN GA Resolution on Establishment of the Second OEWG that includes:
- The renewal of the OEWG for a period of five years – 2021 to 2025, with the same mandate
- The organisational session of the new OEWG be held in 2021 and includes the establishment of thematic subgroups, allowing interaction with other stakeholders.
- The group is to provide an annual progress report and a final report to the 80th UNGA, starting in autumn 2025.
- Reaffirmation of the results of the previous reports of the Group of Governmental Experts (GGE), as well as that international law, and in particular the Charter of the UN, is applicable to cyberspace
- Norms do not replace or alter states’ obligations or rights under international law – which are binding – but rather provide additional and specific guidance on what constitutes responsible state behaviour in the use of ICTs
- Recommendation that states voluntarily identify and consider CBMs
- Recommends that appropriate to their specific contexts, and cooperate with other states on their implementation
- Comprehensive capacity building measures in the field of ICT security
Despite long-running discussions and several consensus reports, there are a number of issues that remain open.
Past processes: GGE and OEWG 2019-2021
The Open-Ended Working Group (OEWG) 2019/2020
The OEWG 2019/2020 was established by the UN General Assembly in December 2018 (A/RES/73/27).
The UN Group of Governmental Experts (GGE)
The UN Group of Governmental Experts (GGE) on Advancing responsible State behaviour in cyberspace in the context of international security (formerly: on Developments in the Field of Information and Telecommunications in the Context of International Security) have convened from 2004 until 2021.
GGE vs OEWG
In 2018, the UNGA adopted two resolutions (one sponsored by the USA (A/RES/73/266), the other by Russia (A/RES/73/27)) which set up the continuation of the GGE in 2019–21 and the UN OEWG. During 2019-2021, the GGE and the OEWG worked in parallel in somewhat different settings. Considerable cooperation between the chairs of the two groups was established, and many countries played an active and constructive role in both.
(Click on the infographic below, or here, for a voice-reader accessible .pdf version.)
Cyber diplomacy web discussions:
Geneva Dialogue on Responsible Behaviour webinars
Geneva Dialogue on Responsible Behaviour outputs