UN Open-ended Working Group (OEWG)

• Are new norms needed?

Are more norms needed at the moment? Or should the focus be placed on the implementation of existing ones? The 2015 GGE report, the resolution establishing the OEWG, and the final OEWG report provide room for developing additional norms over time. The OEWG 2021-2025 also has a mandate to further develop the rules, norms and principles of responsible behaviour of states. States have differing views on this issue: Some insist that new norms should be developed, some insist that existing norms should be implemented first, and some hold that the implementation of norms can be complementary to the gradual development of additional norms; these two processes are not mutually exclusive. 

• Does international law apply to cyberspace?

The UN GGE reports, the final OEWG report, and the related UN General Assembly (GA) resolutions affirm that international law, including the UN Charter, applies to cyberspace,. However, some states believe that existing international law does not apply to cyberspace. They do, however, note that principles of international law apply – sovereign equality of states, non-use of force and threat of force, settlement of international disputes by peaceful means, and non-interference in the internal affairs of states.

• Which UN Charter principles apply to cyberspace?

Most states stated that the principle of sovereignty and sovereign equality, enshrined in Art. 2.1. of the UN Charter, applies in cyberspace. Most countries have also recognised the principle of due diligence in cyberspace.

Many states have reaffirmed the obligation of states to settle disputes peacefully in accordance with Art. 2.3 and Art. 33 of the UN Charter. This means states must use negotiation, enquiry, mediation, conciliation, arbitration, judicial settlement, resort to regional agencies or arrangements, or other peaceful means of their own choice. The customary international law obligation not to intervene in the internal or external affairs of another state, enshrined in Art. 2.7 of the UN Charter, applies to cyberspace, just as it applies to the physical realm All states agree that they should refrain from the threat or use of force against other states’ territorial integrity or political independence, which also applies in cyberspace. However, there is no consensus on whether misuse of ICTs/cyberattacks can be qualified as armed attacks, per Art. 51 of the UN Charter which permits the right to self-defence in case of armed attack). The states agree that the principles of due diligence, attribution, invoking the right of self-defence, and assessing whether an internationally wrongful act has been committed require additional work to understand how they apply in cyberspace.

• Is there a need for a new legally binding instrument?

The need for a new legally binding instrument regulating the use of ICT by states remains an important question at the OEWG. Most countries do not see the need to develop a new legally binding instrument, opposing such a proposal and saying it would mean a significant setback in advancing international security and stability that would lead to confusion and misunderstanding. On the other hand, some countries are calling for developing a new, single, legally binding international instrument. These countries think that cyberspace is unique and cannot be addressed by applying existing international law, that gaps in existing international law require new legally binding regulation, or that how international law applies in cyberspace needs to be clarified.

• Does international humanitarian law (IHL) apply to cyberspace?

The GGE 2021 report recognised that international humanitarian law (IHL) applies only in situations of armed conflict. Most delegations confirmed this in the discussions at the OEWG. These delegations see adherence to the IHL as of paramount importance as it offers fundamental protections and reduces the risks and potential harm to both civilians and civilian objects (IT infrastructure of hospitals or schools) and to combatants from cyber operations in the context of armed conflict. These states see it as a priority to clarify how IHL applies to cyber operations in armed conflicts.

Another group of states holds that the OEWG should not even discuss the applicability of IHL to the use of ICTs in the context of international security since it would imply that the states tacitly accept the possibility of an armed conflict in cyberspace, which would contribute to militarisation in cyberspace and would be the first step towards an armed cyberattack.

• How should the UN ensure adequate and sufficient financing for capacity-building initiatives?

The proposal for a permanent UN-administered fund to support cybersecurity capacity building in developing countries generated significant debate among delegations. The supporters, including several developing nations and the Arab Group, advocate for the fund as a means to ensure equitable and sustainable access to financial resources, arguing that it would help bridge the digital divide and strengthen global cybersecurity. They pointed out that such a fund would provide consistent financing necessary for long-term initiatives, particularly in countries lacking robust cybersecurity infrastructure. However, other delegations expressed concerns about the management and oversight of the fund, fearing it could lead to duplication of existing funding mechanisms and questioning how the fund would be administered to avoid inefficiencies. For example, some European nations stressed the importance of leveraging existing structures like the World Bank’s cybersecurity initiatives, cautioning against the creation of parallel systems that might fragment international efforts.

• What should be the scope and structure of the Global Cybersecurity Cooperation Portal, and how can it be streamlined with existing initiatives?

The proposal for a Global Cyber Security Cooperation Portal sparked a detailed debate on how this new platform should be integrated or synergised with existing cybersecurity portals to avoid duplication and enhance global cooperation. Delegations expressed concerns about the potential for overlap with established platforms like the Global Forum on Cyber Expertise (GFCE) Cyber Portal and the EU CyberNet, emphasising the need for careful coordination to ensure the new portal adds value rather than creating redundancy. On the other hand, some delegations, including those from developing countries, emphasised the portal’s potential to address gaps in current systems, particularly in terms of accessibility and tailored support for countries with limited cybersecurity resources.

• How should the proposed UN Voluntary Trust Fund be operationalised, and how should it be integrated with existing funding mechanisms?

Delegations broadly supported the idea of establishing a UN Voluntary Trust Fund on security and ICT use; however, concerns emerged regarding its operationalisation. There was a need for more discussion on how the fund would be structured to avoid duplication with existing mechanisms, such as the World Bank Cybersecurity Multi-Donor Trust Fund and ITU funds. Additionally, delegations, including Australia, sought clarity on the eligibility criteria for accessing the fund, emphasising the importance of ensuring that it adds value without creating overlap or confusion within the current funding landscape.

• How should foundational cybersecurity capacities be implemented globally: through standardised approaches or by tailoring them to the countries? 

The implementation of foundational cybersecurity capacities sparked a debate between adopting a universal, standardised approach and the need for customisation to fit national contexts. While many delegations agreed on the importance of key elements such as legal frameworks, CERTs, and incident response mechanisms, there was a clear division on whether these should be uniformly applied across all countries or adapted to each nation’s specific circumstances. The concern is that imposing a one-size-fits-all solution may not be effective in diverse environments.

• Should gender and inclusivity be integrated into cybersecurity capacity building efforts?

The emphasis on gender-sensitive approaches in cybersecurity capacity building, was met with mixed reactions. While some delegations praised the development of gender-sensitive toolkits and their application in capacity building programs, others criticised the inclusion of gender and youth topics in the capacity-building agenda, arguing that these issues were unrelated to the core mandate of the OEWG.

• What is the appropriate role of nongovernmental stakeholders in cybersecurity capacity-building efforts?

The inclusion of a multistakeholder approach in capacity-building efforts sparked a debate among delegations. While most countries support the involvement of businesses, NGOs, and academia, there is strong opposition to portraying non-governmental stakeholders as equal participants in negotiations alongside states, as that could undermine state sovereignty in cybersecurity discussions.

• What is the role of regional organisations in operationalising the POC directory and CBMs?

Regional organisations have been referred to mostly as examples and laboratories for the development of new CBMs and their implementation as these have been operationalised historically at a regional level. The POC directory in that instance has been directly inspired by other POC mechanisms such as between ASEAN and Japan or within the OSCE. A new development in CBM-related discussions concerned the use of standardised templates where inputs from the experience of regional organisations were also called upon. Concerns were nonetheless expressed about relying on regional organisations only for the implementation of CBMs which would leave out states not participating in such organisations.

• Should additional CBMs be formulated?

Most additional CBMs proposed throughout the sessions were adopted (organisation of seminars, workshops and training programmes, exchange of information on the protection of critical infrastructures, strengthening of the public-private sector partnerships). So far, only the coordinated vulnerability disclosure first appearing in the 4th substantive session has been brought up occasionally but never adopted. The building of a common terminology as an additional CBM is a half-resolved issue (see next section on common terminology). Finally, it is likely that the discussion of additional CBMs may strictly revolve around the development of the POC directory (see next section on what’s next for the POC directory).

• Should countries build a common terminology?

The building of a common terminology or taxonomy is an issue at least as old as the 4th substantive session and is regularly brought up in discussions as a way to enhance exchanges and effective communication. This nevertheless is often met with reluctance by several delegations as an obstacle to the discussion of more practical CBMs. States have only agreed to share national ICT terms and terminologies since the second APR, but this disposition is still met with scepticism by some delegations with regard to its utility. Further development in these discussions may be enabled by progress at a regional level (Mercosur has been mentioned as working on this kind of common taxonomy).

•  What’s next for the POC directory?

Now that most states have appointed their POCs and the first ‘ping’ test (a test conducted by the directory manager to verify that the information in the directory is up-to-date) has been run, the evolution of the POC directory is the most debated CBM-related issue. Some states do not want to overburden the POC directory now, but the development of standardised communication templates has nonetheless been adopted in summer 2024 and the UN Secretariat is expected to present an example of such a template in April 2025. The expansion – or not – of the POC directory will most likely be the centre of future discussions as the mechanism is considered to be the flagship achievement of the OEWG and one of the pillars of the permanent mechanism.

• How many thematic groups should be established and what should they discuss?

There’s no agreement on which themes the thematic groups should tackle. Some countries suggest that the groups should follow the thematic areas that the OEWG discusses, as those themes result from previously achieved consensus. Others suggested the groups should have a narrower focus, such as the protection of crucial infrastructure (CI), cyber incident response or victim assistance.  Some states warned that creating too many thematic groups would be challenging for smaller delegations to participate, making the groups noninclusive.

• How should stakeholders participate in the work of the mechanism?

The future mechanism will be a First Committee process and, therefore, a state-led process. However, there is room – and need – for stakeholder participation. Some states consider the ad-hoc committee on cybercrime modalities for stakeholder engagement to be the gold standard, where stakeholders attend any open formal sessions of the ad hoc committee, make oral statements, time permitting, after member states’ discussions, and submit written statements. Other countries caution that the OEWG’s own much-discussed modalities should be applied because they are the hard-won result of delicate compromise. This issue was ultimately deferred to the group’s next meeting.