UN GGE and OEWG

Episodes of cyber warfare between states already exist. What is worse is that there is no regulatory scheme for that type of warfare, it is not clear how the Geneva Convention or international humanitarian law applies to it.

UN Secretary-General Antonio Guterres, 2018

There is evidence from official documents and media coverage that countries are increasingly investing in defensive as well as offensive cyber-capabilities.

In 2004, the UN General Assembly has established the Group of Governmental Experts (GGE) to examine the impact of developments in ICT on national security and military affairs. Six GGEs have been convened – in 2004/2005 (A/RES/58/32), 2009/2010 (A/RES/60/45), 2012/2013 (A/RES/66/24), 2014/2015 (A/RES/68/243), 2016/2017 (A/RES/70/237), and 2019/2021 (A/RES/73/266). In addition, the UN General Assembly has also established the Open-Ended Working Group for 2019/2020 (A/RES/73/27).

• Members

GGE members in 2019-2021 are Australia, Brazil, China, Estonia, France, Germany, India, Indonesia, Japan, Jordan, Kazakhstan, Kenya, Mauritius, Mexico, Morocco, Netherlands, Norway, Romania, Russian Federation, Singapore, South Africa, Switzerland, United Kingdom, United States, and Uruguay. Ambassador Guilherme de Aguiar Patriota of Brazil was elected as the Chair of the GGE. The map of GGE members from 2004 onward is below.

• Selection and Composition

The UN GGE is composed 'on the basis of equitable geographical distribution'. Traditionally, the five permanent members of the Security Council have a seat on all GGEs, and the remaining seats are allocated by grouping. Upon the call for expression of interests, States send an official request for a seat on a GGE of particular interest to them, and might even lobby at the highest levels of the Secretariat for a place at the table.

The Office of the High Representative for Disarmament Affairs has the task of proposing the Group’s composition to the Secretary-General who decides, taking into account not only geographical and political balance, but a demonstrated interest in the topic, the number of times a country has served on other GGEs, whether they are currently serving on a different GGE, etc. Occasionally a government might decline to participate in a GGE if it believes it lacks the personnel or expertise necessary for the work.

Once the countries have been identified and notified, they are asked to nominate an expert to participate in the GGE. In almost all cases, these experts are government officials. Early GGEs included a mix of experts on information security, some with diplomatic backgrounds and others with a more technical background. Over time, the composition of the experts changed, as countries chose to select experts with, arms control, or non-proliferation experience. Experts technical backgrounds can be 'left behind' in the sometimes intense diplomatic negotiations that accompany a GGE.

Each GGE selects a Chair from among its members. A strong and skillful Chair is vital to the success of the group. The Russian Federation chaired in 2005 and 2010, Australia in 2013, Brazil in 2015, and Germany in 2016. Brazil chairs the 2019-2021 Group. While it is the experts who sit at the table (there are no 'delegations'), some experts are accompanied by advisers. In the recent GGEs, legal advisers have been particularly common.

• Procedures

The Group, guided by the Chair and shaped by the mandate included in the General Assembly resolution, largely determines its own agenda and work plan. The work, particularly commenting on drafts and informal consultations is often conducted.

Most GGEs meet for four one-week sessions. The Group holds its meetings in the UN format, sitting for six hours a day (from 10 a.m. 1 p.m., and then again from 3 p.m. 6 p.m.), with simultaneous interpretation in all six official languages of the UN. The GGEs' meetings are closed and there are no publicly available meeting summaries. The closed-door format is considered essential for the frank discussions to enable GGEs to find agreement. Thus, there are also no observers - whether representatives from other governments, non-governmental organisations, the private sector or international organisations.

On more than one occasion it has been suggested that the International Telecommunications Union (ITU), the UN specialised agency responsible for developing technical standards for ICTs, may be invited to observe the group. However, the General Assembly mandates the work of the GGEs squarely in the realm of international security and disarmament, and thus not as a technical exercise.

The UN Office for Disarmament Affairs serves as the Secretariat to the cyber GGEs.

• Decision-making

Decisions, including decisions on the final Report, are made by consensus.

• Relations with other UN bodies and processes

The fact that the GGE falls under the UN First Committee has important implications for how the Group interprets its mandate, by focusing and narrowing the scope of the task. The First Committee is the Main Committee of the General Assembly and is allocated agenda items on disarmament and international security.

After multiple discussions, GGEs have decided that the issues not under the purview of the First Committee - such as espionage, Internet governance, development and digital privacy - are not the focus of the Group’s work. While terrorism and crime are important topics for understanding, previous GGEs have limited themselves to calling for greater co-operation among states, while deciding that detailed discussion of these topics and the development of recommendations for them is best done  other UN bodies.

In 2019-2021, UNODA is mandated to organise series of consultations with Regional Organisations, in particular the African Union, the EU, the OAS, the OSCE and the ASEAN Regional Forum. The consultations take place back-to-back with relevant meetings of the Regional Organisations, with participation by some GGE Members and, where possible, the Chair. Summary reports of these consultations are then sent to the GGE.

Source: UNIDIR's Report on the International Security Cyber Issues Workshop Series

The OEWG was established by the UN General Assembly in December 2018 (A/RES/73/27). It is tasked to continue to develop the rules, norms, and principles of responsible behaviour of states, discuss ways for their implementation, and to study the possibility of establishing regular institutional dialogue with broad participation under the auspices of the UN. Official page of the OEWG is here.

• Participation

The composition is declared as open, allowing all UN member states that express a desire to participate. In addition, OEWG will hold consultative meetings with the interested parties - business, non-governmental organisations and academia - which can apply to attend the meetings (deadline for application to attend intersessional and 2020 meetings is 1 October 2019); application is managed by UNODA and approved on a 'no objection' basis (i.e. Objections by the governments). Ambassador Jürg Lauber of Switzerland was selected as the Chair of the OEWG.

• Agenda

According to paragraph 5 of the GA Resolution A/RES/73/27, there are six substantive issues for discussion:

1. Existing and potential threats;
2. International Law;
3. Rules, norms and principles;
4. Regular institutional dialogue;
5. Confidence building measures;
6. Capacity building.

The OEWG will work according to the preliminary agenda, to develop its report on a consensual basis.

Comprehensive report from the first substantive session is available here.

• Timeline

The OEWG started its work 3-4 June 2019, with an organisational meeting that gathered representatives of almost 100 member states. Its first substantive session was scheduled for 9-13 September 2019, followed by the intersessional consultative meeting 2-4 December 2019, second substantive session 10-14 February 2020, and the final substantive session 6-10 July 2020. It should report to the 75th session of the UN General Assembly, 15-30 September 2020.

Does existing international law apply to cyberspace? 

There is broad agreement that international law applies, which is expressed in the reports of the GGE as well as the related UN General Assembly (GA) resolutions; more specifically, states agree that the jurisdiction of a state over the information and communications technology (ICT) in its territory applies, and that states should not conduct internationally wrongful acts attributable to them, nor use proxies for such acts. 

Yet, a number of issues remain open: 

• (How) Do the established principles of international humanitarian law – humanity, necessity, proportionality, and distinction – apply? The principles were agreed upon by the GGE in 2015, but were not re-iterated in the resolution that established the OEWG, which may signal differences in positions.
• How does international law apply to cyber-attacks in peacetime (as part of a ‘hybrid warfare’)?
• Should discussions include control of arms proliferation, or a more precise use of the Law of Armed Conflict?
• How to deal with the dual-use nature of ICTs – address only the use which endangers peace and security?

How does the UN Charter apply to cyberspace? 

There is a broad agreement that the UN Charter applies to cyberspace, which was confirmed by the GGE reports and the related UN GA resolutions. ‘The devil is in the details’, however:  the definition of an armed attack and use of force in cyberspace is not clear: Is it limited to attacks that cause physical damage and injury, or would other effects (eg. financial, environmental, economic, or political) of a cyber-attack fall under as well? Should this decision remain under the exclusive responsibility of states – perhaps by certain factors such as context, intent, or severity of effects, as suggested in the Tallinn Manual 2.0? In general, (most) states might not have the incentive to define it, in order to leave the interpretation by each state at its own discretion. This could be particularly beneficial for the strong, developed countries, but small countries may also benefit from the lack of clarity as that leaves them with some advantages of ‘asymmetric warfare’ (ability to conduct high-effect attacks with relatively affordable cyber-means). The major stumbling issue, however, is the right to self-defence.

(How) Does the right to self-defence, enshrined in the UN Charter (Art. 51), apply to cyber-attacks? 

In particular, should the countries under cyber-attack be allowed to respond to it by all means, including the all-out military options with traditional warfare means? This question was one of the main reasons – if not the main reason – for the failure of the GGE to reach consensus in 2017 (link). The GGE 2015 report, approved by the UN GA, confirms (Art. 28c) the inherent right of states to take measures consistent with international law (with a note that further study is needed); yet the resolution that established the OEWG does not re-iterate this position. Positions on this issue are openly divergent: 

• The North Atlantic Treaty Organization (NATO) confirmed that Art. 5 of its Treaty allows the response by all means (including conventional weapons) in case of a cyber-attack against one of its members; 
• Russia finds that the traditional use of force is not a legitimate response to cyber-attacks, at least not without the approval of the UN Security Council and according to the UN Charter, which would allow the accused party to defend itself before the Security Council. It further requests that sources of cyber-threats are not identified by (attacked) states independently and arbitrarily, without evidence, particularly if this could lead to devastating counter-strikes;
• Some small states, like Cuba, believe that a cyber-attack is not tantamount to an armed attack, and thus, the right to self-defence should not be used in such cases.

An additional grey zone is the right to self-defence against armed attacks conducted by non-state actors, or state proxies.

In what other ways can countries respond to cyber-attacks? 

While the right to self-defence may apply once the attack has occurred, what other options does a state have to respond to cyber-attacks, and deter counterparties from conducting attacks? Also, should anticipatory self-defence (to deter imminent threats) – or even pre-emptive strikes – be considered?

The USA and the European Union consider the following actions to be acceptable: 

• the US believes in a ‘Cyber Deterrence Menu’ of countermeasures that states can take when the attack occurs, in order to deter more attacks, or apply the accountability of the attackers: private and public attribution, sanctions, deterrence alliances, and even ‘defence forward’ (or pre-emptive) cyber-strikes
• France believes anticipatory self-defence may be allowed, but not pre-emptive strikes. 
• the EU has adopted its ‘Cyber-diplomacy toolbox’ and ‘Sanction regime’, as official options for political response to – and deterrence of – cyber-attacks.

It  also remains open whether states should have the duty to notify the other state against which they plan to launch countermeasures. 

How should attribution of cyber-attacks be conducted? 

This is probably one of the most complex dilemmas, as it involves a mix of technical, legal, and political aspects. There are no agreed methodologies on how to establish attribution to cyber-attacks; there are divergent views of experts over how reliable current technical means for tracing the origins of attacks are; certain aspects of the intelligence-gathering – such as conventional intelligence activities and cyber-espionage for collecting digital evidence – are understandably kept secret by the parties working on attribution; lack of transparency over evidence in the recent avalanche of mutual public accusations among the states adds to complexity. While both the GGE report (Art. 28f) and the resolution that established the OEWG (Art 1.2) confirm that the indication of the origin of the attack might not be enough for attribution, and that accusations need to be substantiated, official positions of the main actors are clearly divergent:

• the US, its NATO allies, and some of the large Internet industry players, engage in ‘collective attribution’, in the form of a joint public ‘naming and shaming’ of the suspects;
• Russia sees such an approach as a pseudo-legal concept where a group of countries accuse a third country, conducted without disclosed evidence, and demands evidence-based attribution.

When (or which) cyber-operations violate sovereignty? 

Both the GGE 2015 report, and the Resolution that established the OEWG, confirm that state sovereignty applies to ICT, and that states have jurisdiction over ICT in their territory. It remains unclear, however, what effect of a cyber-attack qualifies as a violation of sovereignty: in particular, is violation limited to physical damage, injury, and loss of the functionality of systems, or does it include network clogging due to DDoS, or penetration into the networks of sovereign countries (such as for forensics, espionage, or implanting ‘logic bombs’)? In the later case, under what circumstances is interference with inherently governmental functions considered violation of sovereignty? There are ongoing debates on the legal nature of the Draft articles on Responsibility of States for Internationally Wrongful Acts, adopted by the International Law Commission. 

Should due diligence be an obligation? 

Due diligence is an obligation of states to prevent their territory from being used for launching cyber-attacks by state or non-state actors against other states. Norms set in the GGE 2015 report and reiterated in the OEWG resolution request that countries not allow their territory to be used for internationally wrongful acts, and to mitigate cyber-attacks against the critical infrastructure of other countries that come from their own territory. As with all the GGE norms, this one is voluntary as well; in practice, there may be a number of reasons why its implementation could be limited: for instance, states may react only, rather than try to prevent attacks, or they may excuse themselves by claiming not to know that cyber-attacks have been conducted. the EU and its partners believe that due diligence should be a binding obligation (both in cyberspace and beyond it), following the International Court of Justice judgement in 1949, and warn that not adhering to it may result with countermeasures by the attacked country; Russia and its allies, on the other hand, oppose the due diligence as an obligation in general, and only approve what has been agreed upon by the GGE.

How can state responsibility in cyberspace be applied? 

While all of the norms stated in the GGE 2015 report (Art. 13) have been approved by the GA both in a subsequent resolution and the resolution that established the OEWG – which signals the agreement of major actors at least – the challenge on how to enforce them remains. An open question is also who should be in the driver’s seat of the enforcement – the GGE, the OEWG, and/or regional organisations (see below)? It is likely that the GGE will focus on mapping the components required for the implementation of existing norms.

Additional norms

Are more norms needed at the moment? Or should the focus be placed on the implementation of existing ones? Both the GGE 2015 report and the resolution that established the OEWG provide space for the development of additional norms over time. Some of the options raised by different parties – with evident divergence in positions – include the work on norms proposals of the Global Commission on Stability of Cyberspace (such as the norm related to protecting the public core of the Internet), preventing injury to civilians, mitigation of effects during incidents, protection of electoral systems, but also norms related to the effects of artificial intelligence (AI) on security, fake news and disinformation, the protection of the core Internet infrastructure as public goods, cybercrime issues, and similar.

To what extent should the GGE and the OEWG work on issues beyond their mandate?

Should the GGE and the OEWG deal with issues that do not fall within their mandate directly, but have an impact on their work? While there is a broad agreement on the existing GGE 2015 norm (Art. 13e) related to the protection of human rights, freedom of expression, and privacy, and even preserving the free flow of information which was added to the resolution that established the OEWG (art. 2), a couple of other issues may come to the table:

• Right and duty of states to combat dissemination of false and distorted news, and request for states to abstain from defamatory campaigns, vilification or hostile propaganda – both understood as interference in internal affairs – were officially brought up by the resolution that established the OEWG. This call was introduced by Russia and its allies, which states the importance of ensuring the credibility of information and combating fake news. The USA and its allies, on the other hand, believe that these issues fall under a different legal framework – one related to the freedom of speech – and opt for distinguishing between the security of networks and policing content, as well as between human nature and state-on-state interference on freedoms, and suggest that combating fake news should be addressed through public-private partnerships with the Internet industry.
• Internet governance, particularly in its narrow definition as critical Internet resources (DNS and IP management), as well as combating crime and terrorism, were particularly excluded from the related UN negotiations in the closing clauses of the GGE 2015 report, by suggesting that the UN should lead, but not duplicate efforts undertaken on crime and terrorism, human rights, or Internet governance; the resolution that established the OEWG, however, does not re-affirm this clause.
• Both the GGE 2015 report and the resolution that established the OEWG agree on the norm that requires states to co-operate in combating crime and terrorism. While the US and its allies oppose further discussions on the matter within the OEWG, Russia and its allies might find space for the OEWG to take up their resolution on countering the use of ICT for criminal purposes, adopted by the UN GA in 2018 , in order to build momentum for an overarching international Code of Conduct for cyberspace, proposed earlier .
• Supply chain security has been raised by several states – in particular China, Iran, and India – which may include states sustaining non-discriminatory business environments, upholding unrestricted ICTs development and research, not exploiting their dominant position – resources, technologies, services, and infrastructure – at the cost of the security and stability of other countries, and defining the responsibilities of the private sector for securing the chain and not misusing their monopoly.
• The security of elections has been high on the agenda of global discussions recently. While some western states might consider raising this as a possible norm, it may become a slippery ground for discussion, as it combines the security of the voting infrastructure and the voting environment (including content-related issues such as social media and fake news).

Confidence building measures

Confidence building measures (CBMs) are the second pillar of the international framework under construction, along with norms and capacity building. While the GGE has agreed on a set of CBMs, a major break-through was had by regional organisations, in particular the OSCE. The main open question is: who should be in the driver’s seat of further development and implementation of the CBMs – the GGE, the  OEWG, and/or the regional organisations? Russia, for instance, stands that the OEWG should further develop a set of CBMs, unifying the existing ones developed on regional levels, and thus take over this work from them. the US and its allies, on the other hand, believe that regional organisations should continue being the primary driver in the development and implementation of the CBMs.

Capacity building

Capacity building is the third pillar of the international framework under construction. There is a general agreement over the importance of capacity building, and the GGE report as well as regional organisations have suggested certain focus in this regards. The main open questions relate to: how to implement capacity building measures, namely who pays (and should pay) for this; what form this should take; and, who should be the target group(s) – policy-makers primarily, or also other stakeholders, such as industry and the technical community that can help in implementing the CBMs? 

Other stakeholders

There is a broad agreement that the involvement of the private sector in particular, but also academia and civil society, is beneficial. The open question is what the roles and responsibilities of the other stakeholders should be (in this regard, the Geneva Dialogues have provided some guidelines), and how to ensure communication with them, and their effective involvement.

Roles of the GGE and the OEWG 

One of the main stumbling stones in the initial phase is who should do what: What should be the focus of the GGE and of the OEWG, respectively? The resolutions that have established the two groups have defined their broad mandates: both the OEWG and the GGE are to work on norms, CBMs, and the applicability of international law to cyberspace, yet, the OEWG is also to discuss establishing regular institutional open-ended dialogue within the UN. In particular:

• The OEWG: According to Russia and its allies, it should revisit the GGE reports – now, together with all 193 states; develop further CBMs and discuss their effectiveness and implementation; establish a permanent entity under the auspices of the UN to discuss cyber issues in the future; and, to develop a draft resolution(s) related to cybersecurity – possibly to be adopted in 2020. The US and its allies, however, see the main role of the OEWG as enabling other states – particularly those that were not part of the GGE process – to better understand the existing normative framework for responsible behaviour that was developed by the GGE, as well as to define the capacity building needs of states and other stakeholders in order to implement existing norms and CBMs; they believe that the development of CBMs should remain the task of regional organisations, while the main venue for future dialogue should also be left to regional organisations, as well as multistakeholder processes like the Paris Peace Forum, IGF, and the like.
• The GGE: The USA and its allies opt for looking into more technical issues on the implementation of the existing normative framework, and in particular, resolving open issues on how international law applies to cyberspace, as well as ways to enforce the implementation of existing norms.