UN Open-ended Working Group (OEWG)

The UN plays a crucial role in global cybersecurity negotiations, with the issue of information security being on the UN agenda since 1998 when the Russian Federation introduced a draft resolution on the subject in the First Committee of the UN General Assembly.

This page provides comprehensive coverage of ongoing and past First Committee processes related to cybersecurity, peace, and security at the UN, including the Groups of Governmental Experts (GGEs) and the Open-ended Working Group (OEWG).

The current process (OEWG 2021-2025)

Currently, the focus is on the work of the UN Open-Ended Working Group (OEWG) on the security of and in the use of information and communications technologies in 2021–2025, established in 2021 by UNGA resolution UN A/RES/75/240

Drawing shows standing observers studying a bar chart on the wall. The chart shows the relationship of threats, norms, international law, confidence-building measures, capacity building and regular institutional dialogue from 2019 through 2024 with a red bar. A UN logo is shown on the wall to the left of the chart.

After the first three substantive sessions held in December 2021, April and July 2022, the main stumbling stone was the participation of non-state stakeholders in the OEWG process. Despite tensions due to the war in Ukraine, some progress in confidence-building measures and capacity building was made. However, states disagreed on whether existing international law applies to ICTs and whether new norms are needed.

In July 2022, delegations adopted stakeholder modalities, agreed to establish a Points of Contact (POC) directory, and reached a compromise on the group's first Annual Progress Report. Annual Progress Reports serve as a roadmap for further negotiations. 

In 2023, discussions on the applicability of international law on ICTs and on norms of responsible behaviour have not advanced. However, the work on the operationalisation of the POC Directory started. In July of 2023, delegations reached a compromise on the second Annual Progress Report

In 2024, delegations remained divided on the applicability of international law on ICTs and on norms of responsible behaviour. But two major successes were achieved: The POC Directory was officially launched in May 2024, and the delegations agreed on the basic elements of the mechanism that will follow the OEWG.

Recent achievements

In July 2024, delegations reached a compromise on the third Annual Progress Report at its eighth substantive session in New York.

Next steps

The OEWG will meet for its ninth substantive session on 2-6 December 2024. The schedule of events for 2024/2025 is available here.

 

You can also browse reports from the sessions:

Future process (PoA and elements of the future mechanism)

Co-proposed by 40 states, a Programme of Action (PoA) for advancing responsible state behaviour in cyberspace would establish ‘a permanent UN forum to consider the use of ICTs by states in the context of international security’. The proposal suggests the PoA to be in a single, long-term, inclusive, and progress-oriented format; its implementation and follow-up measures could be subsequently endorsed by the UN GA. In November 2022, the First Committee of the UNGA adopted resolution A/RES/78/16 on the programme of action (PoA) on cybersecurity. This means the UNGA welcomed the proposal for a PoA as a permanent, inclusive, action-oriented mechanism.

States continued to discuss the scope, structure and content of the future mechanism during 2023 and 2024, with a significant breakthrough in June and July 2024, when the Chair published elements for the establishment of an open-ended action-oriented permanent mechanism on ICT security, building upon the resolution A/RES/78/16 on the PoA.

During negotiations in July 2024, delegations agreed on the elements for the future mechanism, enshrined in Annex C of the third APR.

 Text, Page, Symbol

Another tricky question was the modalities of stakeholder engagement with the mechanism. The future mechanism will be a First Committee process and, therefore, a state-led process. However, there is room - and need - for stakeholder participation. Some states consider the ad-hoc committee on cybercrime modalities for stakeholder engagement to be the gold standard, where stakeholders attend any open formal sessions of the ad hoc committee, make oral statements, time permitting, after member states’ discussions, and submit written statements. Other countries caution that the OEWG’s own much-discussed modalities should be applied because they are the hard-won result of delicate compromise. This issue was ultimately deferred to the group’s next meeting.

Body of existing agreements

The body of existing agreements refers to the framework of responsible behaviour of states in cyberspace. This framework is sometimes also called ‘acquis’, a term borrowed from the EU for the body of common rights and obligations that is binding on all the EU member states. While it has quickly been adopted for informal discussions, there is still no clear understanding of everything it encompasses.

It encompasses the GGE 2013 report, the GGE 2015 report, the GGE 2021 report and the OEWG 2021 report.  All reports were adopted by respective resolutions of the UNGA by consensus of all states. Additionally, other resolutions, such as those that established the GGEs and OEWGs on cybersecurity, also play a role, as states refer to some of them throughout negotiations. This particularly refers to the UNGA resolutions that established the OEWG in 2018 and 2020, since they do not entirely match GGE's reports, but rather reflect on other issues such as propaganda, and have procedural implications.

Most recently, the APRs of the OEWG 2021-2025 note that the framework of responsible State behaviour in the use of ICTs includes voluntary norms, international law, and confidence-building measures (CBMs). However, delegations, including the USA, Israel, Thailand, and Iran, contend that voluntary norms and CBMs cannot be classified as obligations. They argued that, by definition, voluntary norms are not obligatory and that CBMs, within the context of this OEWG, are also voluntary. These delegations emphasised that states cannot be held accountable for obligations arising from non-binding agreements. However, the language remains in the APRs.

Unresolved issues

Despite long-running discussions and several consensus reports, there are a number of issues that remain open.

Existing and potential threats

 Text, Device, Grass, Lawn, Lawn Mower, Plant, Tool, Gun, Weapon

  • Are ransomware and cryptocurrency theft threats to international security?

Some countries claim that ransomware, cryptocurrency theft, and financing of malicious ICT activity using cryptocurrency cannot be linked to international peace and security because they are criminal activities and are financially motivated. Consequently, these issues are outside the OEWG’s mandate. However, the most recent annual progress report does contain references to these issues.

  • Are misinformation and disinformation threats to international security?

Some states recognise misinformation and disinformation as significant threats to the ICT environment. Concerns are also rising about the role of generative AI in these campaigns, especially its use in creating deepfakes that erode public trust and pose a risk to democracy, particularly during elections. However, the most recent annual progress report recognises ‘covert information operations’ as threats and does not reference misinformation and disinformation driven by advanced technologies, such as deepfakes.

Rules, norms and principles

 Body Part, Hand, Person, Aircraft, Airplane, Transportation, Vehicle, Handshake

  • Are new norms needed?

Are more norms needed at the moment? Or should the focus be placed on the implementation of existing ones? The 2015 GGE report, the resolution establishing the OEWG, and the final OEWG report provide room for developing additional norms over time. The OEWG 2021-2025 also has a mandate to further develop the rules, norms and principles of responsible behaviour of states. States have differing views on this issue: Some insist that new norms should be developed, some insist that existing norms should be implemented first, and some hold that the implementation of norms can be complementary to the gradual development of additional norms; these two processes are not mutually exclusive. 

Applicability of international law

 Accessories, Bag, Handbag, Scale

  • Does international law apply to cyberspace?

The UN GGE reports, the final OEWG report, and the related UN General Assembly (GA) resolutions affirm that international law, including the UN Charter, applies to cyberspace,. However, some states believe that existing international law does not apply to cyberspace. They do, however, note that principles of international law apply – sovereign equality of states, non-use of force and threat of force, settlement of international disputes by peaceful means, and non-interference in the internal affairs of states.

  • Which UN Charter principles apply to cyberspace?

Most states stated that the principle of sovereignty and sovereign equality, enshrined in Art. 2.1. of the UN Charter, applies in cyberspace. Most countries have also recognised the principle of due diligence in cyberspace.

Many states have reaffirmed the obligation of states to settle disputes peacefully in accordance with Art. 2.3 and Art. 33 of the UN Charter. This means states must use negotiation, enquiry, mediation, conciliation, arbitration, judicial settlement, resort to regional agencies or arrangements, or other peaceful means of their own choice. The customary international law obligation not to intervene in the internal or external affairs of another state, enshrined in Art. 2.7 of the UN Charter, applies to cyberspace, just as it applies to the physical realm All states agree that they should refrain from the threat or use of force against other states’ territorial integrity or political independence, which also applies in cyberspace. However, there is no consensus on whether misuse of ICTs/cyberattacks can be qualified as armed attacks, per Art. 51 of the UN Charter which permits the right to self-defence in case of armed attack). The states agree that the principles of due diligence, attribution, invoking the right of self-defence, and assessing whether an internationally wrongful act has been committed require additional work to understand how they apply in cyberspace.

  • Is there a need for a new legally binding instrument?

The need for a new legally binding instrument regulating the use of ICT by states remains an important question at the OEWG. Most countries do not see the need to develop a new legally binding instrument, opposing such a proposal and saying it would mean a significant setback in advancing international security and stability that would lead to confusion and misunderstanding. On the other hand, some countries are calling for developing a new, single, legally binding international instrument. These countries think that cyberspace is unique and cannot be addressed by applying existing international law, that gaps in existing international law require new legally binding regulation, or that how international law applies in cyberspace needs to be clarified.

  • Does international humanitarian law (IHL) apply to cyberspace?

The GGE 2021 report recognised that international humanitarian law (IHL) applies only in situations of armed conflict. Most delegations confirmed this in the discussions at the OEWG. These delegations see adherence to the IHL as of paramount importance as it offers fundamental protections and reduces the risks and potential harm to both civilians and civilian objects (IT infrastructure of hospitals or schools) and to combatants from cyber operations in the context of armed conflict. These states see it as a priority to clarify how IHL applies to cyber operations in armed conflicts.

Another group of states holds that the OEWG should not even discuss the applicability of IHL to the use of ICTs in the context of international security since it would imply that the states tacitly accept the possibility of an armed conflict in cyberspace, which would contribute to militarisation in cyberspace and would be the first step towards an armed cyberattack.

Capacity building

 Art, Drawing, Doodle

  • How should the UN ensure adequate and sufficient financing for capacity-building initiatives?

The proposal for a permanent UN-administered fund to support cybersecurity capacity building in developing countries generated significant debate among delegations. The supporters, including several developing nations and the Arab Group, advocate for the fund as a means to ensure equitable and sustainable access to financial resources, arguing that it would help bridge the digital divide and strengthen global cybersecurity. They pointed out that such a fund would provide consistent financing necessary for long-term initiatives, particularly in countries lacking robust cybersecurity infrastructure. However, other delegations expressed concerns about the management and oversight of the fund, fearing it could lead to duplication of existing funding mechanisms and questioning how the fund would be administered to avoid inefficiencies. For example, some European nations stressed the importance of leveraging existing structures like the World Bank’s cybersecurity initiatives, cautioning against the creation of parallel systems that might fragment international efforts.

  • What should be the scope and structure of the Global Cybersecurity Cooperation Portal, and how can it be streamlined with existing initiatives?

The proposal for a Global Cyber Security Cooperation Portal sparked a detailed debate on how this new platform should be integrated or synergised with existing cybersecurity portals to avoid duplication and enhance global cooperation. Delegations expressed concerns about the potential for overlap with established platforms like the Global Forum on Cyber Expertise (GFCE) Cyber Portal and the EU CyberNet, emphasising the need for careful coordination to ensure the new portal adds value rather than creating redundancy. On the other hand, some delegations, including those from developing countries, emphasised the portal’s potential to address gaps in current systems, particularly in terms of accessibility and tailored support for countries with limited cybersecurity resources.

  • How should the proposed UN Voluntary Trust Fund be operationalised, and how should it be integrated with existing funding mechanisms?

Delegations broadly supported the idea of establishing a UN Voluntary Trust Fund on security and ICT use; however, concerns emerged regarding its operationalisation. There was a need for more discussion on how the fund would be structured to avoid duplication with existing mechanisms, such as the World Bank Cybersecurity Multi-Donor Trust Fund and ITU funds. Additionally, delegations, including Australia, sought clarity on the eligibility criteria for accessing the fund, emphasising the importance of ensuring that it adds value without creating overlap or confusion within the current funding landscape.

  • How should foundational cybersecurity capacities be implemented globally: through standardised approaches or by tailoring them to the countries? 

The implementation of foundational cybersecurity capacities sparked a debate between adopting a universal, standardised approach and the need for customisation to fit national contexts. While many delegations agreed on the importance of key elements such as legal frameworks, CERTs, and incident response mechanisms, there was a clear division on whether these should be uniformly applied across all countries or adapted to each nation’s specific circumstances. The concern is that imposing a one-size-fits-all solution may not be effective in diverse environments.

  • Should gender and inclusivity be integrated into cybersecurity capacity building efforts?

The emphasis on gender-sensitive approaches in cybersecurity capacity building, was met with mixed reactions. While some delegations praised the development of gender-sensitive toolkits and their application in capacity building programs, others criticised the inclusion of gender and youth topics in the capacity-building agenda, arguing that these issues were unrelated to the core mandate of the OEWG.

  • What is the appropriate role of nongovernmental stakeholders in cybersecurity capacity-building efforts?

The inclusion of a multistakeholder approach in capacity-building efforts sparked a debate among delegations. While most countries support the involvement of businesses, NGOs, and academia, there is strong opposition to portraying non-governmental stakeholders as equal participants in negotiations alongside states, as that could undermine state sovereignty in cybersecurity discussions.

Confidence building measures (CBMs)

 Stencil, Text

  • What is the role of regional organisations in operationalising the POC directory and CBMs?

Regional organisations have been referred to mostly as examples and laboratories for the development of new CBMs and their implementation as these have been operationalised historically at a regional level. The POC directory in that instance has been directly inspired by other POC mechanisms such as between ASEAN and Japan or within the OSCE. A new development in CBM-related discussions concerned the use of standardised templates where inputs from the experience of regional organisations were also called upon. Concerns were nonetheless expressed about relying on regional organisations only for the implementation of CBMs which would leave out states not participating in such organisations.

  • Should additional CBMs be formulated?

Most additional CBMs proposed throughout the sessions were adopted (organisation of seminars, workshops and training programmes, exchange of information on the protection of critical infrastructures, strengthening of the public-private sector partnerships). So far, only the coordinated vulnerability disclosure first appearing in the 4th substantive session has been brought up occasionally but never adopted. The building of a common terminology as an additional CBM is a half-resolved issue (see next section on common terminology). Finally, it is likely that the discussion of additional CBMs may strictly revolve around the development of the POC directory (see next section on what’s next for the POC directory).

  • Should countries build a common terminology?

The building of a common terminology or taxonomy is an issue at least as old as the 4th substantive session and is regularly brought up in discussions as a way to enhance exchanges and effective communication. This nevertheless is often met with reluctance by several delegations as an obstacle to the discussion of more practical CBMs. States have only agreed to share national ICT terms and terminologies since the second APR, but this disposition is still met with scepticism by some delegations with regard to its utility. Further development in these discussions may be enabled by progress at a regional level (Mercosur has been mentioned as working on this kind of common taxonomy).

  •  What’s next for the POC directory?

Now that most states have appointed their POCs and the first ‘ping’ test (a test conducted by the directory manager to verify that the information in the directory is up-to-date) has been run, the evolution of the POC directory is the most debated CBM-related issue. Some states do not want to overburden the POC directory now, but the development of standardised communication templates has nonetheless been adopted in summer 2024 and the UN Secretariat is expected to present an example of such a template in April 2025. The expansion – or not – of the POC directory will most likely be the centre of future discussions as the mechanism is considered to be the flagship achievement of the OEWG and one of the pillars of the permanent mechanism.

Regular institutional dialogue (RID)

 Accessories, Sunglasses, Text, Handwriting, Glasses

  • How many thematic groups should be established and what should they discuss?

There’s no agreement on which themes the thematic groups should tackle. Some countries suggest that the groups should follow the thematic areas that the OEWG discusses, as those themes result from previously achieved consensus. Others suggested the groups should have a narrower focus, such as the protection of crucial infrastructure (CI), cyber incident response or victim assistance.  Some states warned that creating too many thematic groups would be challenging for smaller delegations to participate, making the groups noninclusive.

  • How should stakeholders participate in the work of the mechanism?

The future mechanism will be a First Committee process and, therefore, a state-led process. However, there is room – and need – for stakeholder participation. Some states consider the ad-hoc committee on cybercrime modalities for stakeholder engagement to be the gold standard, where stakeholders attend any open formal sessions of the ad hoc committee, make oral statements, time permitting, after member states’ discussions, and submit written statements. Other countries caution that the OEWG’s own much-discussed modalities should be applied because they are the hard-won result of delicate compromise. This issue was ultimately deferred to the group’s next meeting.

Past processes: the GGEs and the OEWG 2019-2021

2004-2021: Six UN Groups of Governmental Experts (GGE)

The UN Group of Governmental Experts (GGE) on Advancing responsible State behaviour in cyberspace in the context of international security (formerly: on Developments in the Field of Information and Telecommunications in the Context of International Security) have convened from 2004 until 2021. 

2019-2021: UN OEWG and sixth GGE in parallel

In 2018, the UNGA adopted two resolutions (one sponsored by the USA (A/RES/73/266), the other by Russia (A/RES/73/27)), which set up the continuation of the GGE in 2019–21 and the UN OEWG.

2019-2020: The Open-Ended Working Group (OEWG) 2019/2020

The OEWG 2019/2020 was established by the UN General Assembly in December 2018 (A/RES/73/27).