UN GGE and OEWG

Episodes of cyber warfare between states already exist. What is worse is that there is no regulatory scheme for that type of warfare, it is not clear how the Geneva Convention or international humanitarian law applies to it.

UN Secretary-General Antonio Guterres, 2018

There is evidence from official documents and media coverage that countries are increasingly investing in defensive as well as offensive cyber-capabilities.

In 2004, the UN General Assembly has established the Group of Governmental Experts (GGE) to examine the impact of developments in ICT on national security and military affairs. Six GGEs have been convened – in 2004/2005 (A/RES/58/32), 2009/2010 (A/RES/60/45), 2012/2013 (A/RES/66/24), 2014/2015 (A/RES/68/243), 2016/2017 (A/RES/70/237), and 2019/2021 (A/RES/73/266). The official webpage of the GGE is here.

• Members

GGE members in 2019-2021 are Australia, Brazil, China, Estonia, France, Germany, India, Indonesia, Japan, Jordan, Kazakhstan, Kenya, Mauritius, Mexico, Morocco, Netherlands, Norway, Romania, Russian Federation, Singapore, South Africa, Switzerland, United Kingdom, United States, and Uruguay. Ambassador Guilherme de Aguiar Patriota of Brazil was elected as the Chair of the GGE. The map of GGE members from 2004 onward is below.

• Selection and Composition

The UN GGE is composed 'on the basis of equitable geographical distribution'. Traditionally, the five permanent members of the Security Council have a seat on all GGEs, and the remaining seats are allocated by grouping. Upon the call for expression of interests, States send an official request for a seat on a GGE of particular interest to them, and might even lobby at the highest levels of the Secretariat for a place at the table.

The Office of the High Representative for Disarmament Affairs has the task of proposing the Group’s composition to the Secretary-General who decides, taking into account not only geographical and political balance, but a demonstrated interest in the topic, the number of times a country has served on other GGEs, whether they are currently serving on a different GGE, etc. Occasionally a government might decline to participate in a GGE if it believes it lacks the personnel or expertise necessary for the work.

Once the countries have been identified and notified, they are asked to nominate an expert to participate in the GGE. In almost all cases, these experts are government officials. Early GGEs included a mix of experts on information security, some with diplomatic backgrounds and others with a more technical background. Over time, the composition of the experts changed, as countries chose to select experts with arms control, or non-proliferation experience. Experts technical backgrounds can be 'left behind' in the sometimes intense diplomatic negotiations that accompany a GGE.

Each GGE selects a Chair from among its members. A strong and skillful Chair is vital to the success of the group. The Russian Federation chaired in 2005 and 2010, Australia in 2013, Brazil in 2015, and Germany in 2016. Brazil chaired the 2019-2021 Group. While it is the experts who sit at the table (there are no 'delegations'), some experts are accompanied by advisers. In the recent GGEs, legal advisers have been particularly common.

• Procedures

The Group, guided by the Chair and shaped by the mandate included in the General Assembly resolution, largely determines its own agenda and work plan. The work, particularly commenting on drafts and informal consultations is often conducted.

Most GGEs meet for four one-week sessions. The Group holds its meetings in the UN format, sitting for six hours a day (from 10 a.m. 1 p.m., and then again from 3 p.m. 6 p.m.), with simultaneous interpretation in all six official languages of the UN. The GGEs' meetings are closed and there are no publicly available meeting summaries. The closed-door format is considered essential for the frank discussions to enable GGEs to find agreement. Thus, there are also no observers - whether representatives from other governments, non-governmental organisations, the private sector or international organisations.

On more than one occasion it has been suggested that the International Telecommunications Union (ITU), the UN specialised agency responsible for developing technical standards for ICTs, may be invited to observe the group. However, the General Assembly mandates the work of the GGEs squarely in the realm of international security and disarmament, and thus not as a technical exercise.

The UN Office for Disarmament Affairs (UNODA) serves as the Secretariat to the cyber GGEs.

• Decision-making

Decisions, including decisions on the final Report, are made by consensus.

• Relations with other UN bodies and processes

The fact that the GGE falls under the UN First Committee has important implications for how the Group interprets its mandate, by focusing and narrowing the scope of the task. The First Committee is the Main Committee of the General Assembly and is allocated agenda items on disarmament and international security.

After multiple discussions, GGEs have decided that the issues not under the purview of the First Committee - such as espionage, Internet governance, development and digital privacy - are not the focus of the Group’s work. While terrorism and crime are important topics for understanding, previous GGEs have limited themselves to calling for greater co-operation among states, while deciding that detailed discussion of these topics and the development of recommendations for them is best done in other UN bodies.

In 2019-2021, UNODA is mandated to organise a series of consultations with regional organisations, in particular the African Union, the EU, the OAS, the OSCE and the ASEAN Regional Forum. The consultations take place back-to-back with relevant meetings of the regional organisations, with participation by some GGE Members and, where possible, the Chair. Summary reports of these consultations are then sent to the GGE.

Source: UNIDIR's Report on the International Security Cyber Issues Workshop Series

The OEWG 2019/2020 was established by the UN General Assembly in December 2018 (A/RES/73/27). It is tasked to continue to develop the rules, norms, and principles of responsible behaviour of states, discuss ways for their implementation, and to study the possibility of establishing regular institutional dialogue with broad participation under the auspices of the UN. In December 2020, the OEWG was renewed for 2021/2025 (A/RES/75/240).

In March 2021, the OEWG 2019/2020 concluded after its third and final substantive session where the group adopted its final report, Chair's summary, and updated procedural report.

The official page of the OEWG can be accessed here.

• Participation

The composition is declared as open, allowing all UN member states that express a desire to participate. In addition, the OEWG will hold consultative meetings with the interested parties - business, non-governmental organisations and academia - which can apply to attend the meetings (deadline for application to attend intersessional and 2020 meetings is 1 October 2019); applications are managed by UNODA and approved on a 'no objection' basis (i.e. objections by the governments). Ambassador Jürg Lauber of Switzerland was selected as the Chair of the OEWG.

• Agenda

According to paragraph 5 of the GA Resolution A/RES/73/27, there are six substantive issues for discussion:

1. Existing and potential threats;
2. International law;
3. Rules, norms and principles;
4. Regular institutional dialogue;
5. Confidence building measures;
6. Capacity building.

The OEWG will work according to the preliminary agenda, to develop its report on a consensual basis.

Comprehensive reports from the first substantive session are available here.

• Timeline

The OEWG started its work on 3-4 June 2019, with an organisational meeting that gathered representatives of almost 100 member states. Its first substantive session was scheduled for 9-13 September 2019 (session reports available), followed by the intersessional consultative meeting on 2-4 December 2019 (session reports available), second substantive session 10-14 February 2020 (session reports available), and the final substantive session 8-12 March 2021 (session reports available). 

Does existing international law apply to cyberspace? 

There is broad agreement that international law applies to cyberspace, which is expressed in the reports of the GGE and the related UN General Assembly (GA) resolutions. More specifically, states agree that the jurisdiction of a state over the information and communication technology (ICT) in its territory applies, and that states should not conduct internationally wrongful acts nor use proxies for such acts. 

Yet, a number of issues remain open: 

• How do the established principles of international humanitarian law – humanity, necessity, proportionality, and distinction – apply? The principles were agreed upon by the GGE in 2015, but were not re-iterated in the resolution that established the OEWG, which may signal differences in positions.
• How does international law apply to cyber-attacks in peacetime (as part of ‘hybrid warfare’)?
• Should discussions include control of arms proliferation, or a more precise use of the Law of Armed Conflict?
• How to deal with the dual-use nature of ICTs – should discussions address only the use that endangers peace and security?

How does the UN Charter apply to cyberspace? 

There is a broad agreement that the UN Charter applies to cyberspace, which was confirmed by the GGE reports and the related UN GA resolutions. However, ‘the devil is in the details’, as the definition of an armed attack and use of force in cyberspace is not clear. Is it limited to attacks that cause physical damage and injury, or would other effects (eg. financial, environmental, economic, or political) fall under this definition as well? Should this determination remain under the exclusive responsibility of states – perhaps by considering certain factors such as context, intent, or severity of effects, as suggested in the Tallinn Manual 2.0? In general, (most) states might not have the incentive to define it, in order to leave the interpretation to their own discretion. This could be particularly beneficial for the strong, developed countries, but small countries may also benefit from the lack of clarity as it leaves them with some advantages of ‘asymmetric warfare’ (the ability to conduct high-effect attacks with relatively affordable cyber-means). The major stumbling block, however, is the right to self-defence as described below.

How does state sovereignty translate to cyberspace?

Both the 2015 GGE report, and the resolution that established the OEWG, confirm that state sovereignty applies to ICT, and that states have jurisdiction over ICT in their territory. There is consensus that states have an obligation to respect the sovereignty of other states and to refrain from activities that constitute a violation of other states’ sovereignty, including cyber operations that would violate the sovereignty of another country.

The question remains about what responsibilities do states shoulder stemming out of the principle of sovereignty and sovereign equality. While some states refer to the right of executing jurisdictional authority within the territorial borders of their country, others also attach a responsibility of not allowing other actors to use the territory of any given state to conduct malicious cyber activities (i.e. the due diligence principle as described below).

States also struggle with global reach of cyber activities that do not fit the traditional definition of sovereignty (protecting state authority over property and persons within territorial borders). For example, when targeting extraterritorial data storage – the assertion of sovereign power over data – cyber-attacks consisting of several components that render them untraceable (i.e. masking of geographical origin) can make it extremely difficult to determine whether they involved a cross-border operation, which would violate a state’s sovereignty. 

Non-interference principle: coercion, use of force, or armed attack?

The non-interference principle, derived from the principle of sovereignty, is applied between states and prohibits interference in the internal or external affairs of another state with intent to employ coercion against that state. This principle applies to all matters over which states execute their exclusive authority. 

Existing and emerging technologies provide states with more opportunities to influence and interfere in the internal or external affairs of other states. Applied in the context of cyberspace, the question arises: When can cyber operations be considered coercion, use of force, or armed attack given that no ‘weapons’ are used in the usual (physical, kinetic) sense of the word?

Most of the states at the OEWG define cyber-attacks on an individual basis, considering their effects and whether they are comparable to those of a conventional and prohibited act of violence.

One of the open issues includes the definition of thresholds of such interference that trigger either a response from the targeted state or the state’s right to self-defence. The precise boundaries between coercion, use of force, and armed attack have not been set yet. Two main points in this regard are the interpretation of Art. 2 (4) of the UN Charter and Art. 51 of the UN Charter.

Coercion as economic, diplomatic, or political pressure is not defined under Art. 2 (4) of the UN Charter. In certain cases, however, when evaluated on its effects, it cannot be ruled out that a cyber operation with very serious financial or economic impacts may qualify as use of force.

When interpreting use of force as described in Art. 2(4) of the UN Charter, international law does not provide a clear definition. Each case is examined individually to establish whether the ‘scale and effects’ are such that an operation may be deemed a violation of the prohibition of use of force. That being said, the prohibition of use of force is acknowledged by states at OEWG.

Defining ‘armed attack’ and setting it apart from ‘use of force’ is relevant in the context of triggering the right of self-defence under Art. 51 of the UN Charter. International law is not clear on the precise scale and effect of use of force that would qualify it as an armed attack. It should be noted that not all cross-border incidents involving weapons constitute armed attacks within the meaning of Art. 51 of the UN Charter. This again depends on the scale and effects of the incident in question. The majority of states at OEWG, however, agree that an armed attack does not necessarily have to be carried out by kinetic means to trigger a state's right to self-defence. Certain countries, such as Australia, France, or the Netherlands, have published their opinions on what constitutes an armed attack in their respective cyber strategies.

There is also ongoing debate on the legal nature and the binding force of the Draft articles on Responsibility of States for Internationally Wrongful Acts, adopted by the International Law Commission.

(How) Does the right to self-defence, enshrined in the UN Charter (Art. 51), apply to cyber-attacks? 

In particular, should countries that are subject to a cyber-attack be allowed to respond to it by all means, including the all-out military options with traditional means of warfare? This question was one of the main reasons – if not the main reason – for the failure of the GGE to reach consensus in 2017. The 2015 GGE report, approved by the UN GA, confirms (Art. 28c) the inherent right of states to take measures consistent with international law (with a note that further study is needed); yet the resolution that established the OEWG does not re-iterate this position. Positions on this issue are openly divergent:

• The North Atlantic Treaty Organization (NATO) confirmed that Art. 5 of its Treaty allows response by all means (including conventional weapons) in the case of a cyber-attack against one of its members.
• Russia finds that the traditional use of force is not a legitimate response to cyber-attacks, at least not without the approval of the UN Security Council and according to the UN Charter, which would allow the accused party to defend itself before the Security Council. Russia further requests that the sources of cyber-threats are not identified by (attacked) states independently and arbitrarily, without evidence, particularly if this could lead to devastating counter-strikes.
• Some small states, like Cuba, believe that a cyber-attack is not tantamount to an armed attack, and thus, the right to self-defence should not be used in such cases.

An additional grey zone is the right to self-defence against armed attacks conducted by non-state actors, or state proxies.

In what other ways can countries respond to cyber-attacks? 

While the right to self-defence may apply once the attack has occurred, what other options does a state have to respond to cyber-attacks, and deter counterparties from conducting such attacks? Also, should anticipatory self-defence (to deter imminent threats) – or even preemptive strikes – be considered?

The USA and the EU consider the following actions to be acceptable:

• The US believes in a ‘Cyber Deterrence Menu’ of countermeasures that states can take when an attack occurs and in order to deter more attacks, as well as accountability measures in relation to the attackers: private and public attribution, sanctions, deterrence alliances, and even ‘defence forward’ (or preemptive) cyber-strikes.
• France believes anticipatory self-defence may be allowed, but not preemptive strikes. 
• The EU has adopted its ‘Cyber-diplomacy toolbox’ and ‘Sanction regime’ as official options to respond to and deter cyber-attacks.

It also remains an open question whether states should have the duty to notify the state against which they plan to launch countermeasures. 

How should attribution of cyber-attacks be conducted? 

This is probably one of the most complex dilemmas, as it involves a mix of technical, legal, and political aspects. There are no agreed-upon methodologies on how to establish attribution to cyber-attacks; there are divergent views between experts over how reliable the current technical means are for tracing the origins of attacks. Certain aspects of intelligence-gathering – such as conventional intelligence activities and cyberespionage for the collection of digital evidence – are understandably kept secret by the parties working on attribution. In addition, the lack of transparency over evidence in the recent avalanche of mutual public accusations among states adds to the complexity. While both the GGE report (Art. 28f) and the resolution that established the OEWG (Art 1.2) confirm that the indication of the origin of the attack might not be enough for attribution and that accusations need to be substantiated, the official positions of the main actors are clearly divergent:

• The US, its NATO allies, and some of the large Internet industry players engage in ‘collective attribution’, in the form of a joint public ‘naming and shaming’ of the suspects.
• Russia sees such an approach as a pseudo-legal concept where a group of countries accuse a third country, conducted without disclosed evidence, and demands evidence-based attribution.

Should due diligence be an obligation? 

Due diligence is an obligation of states to prevent their territory from being used for the launching of cyber-attacks by state or non-state actors against other states. Norms set in the 2015 GGE report and reiterated in the OEWG resolution request that countries not allow their territory to be used for internationally wrongful acts, and to mitigate cyber-attacks against the critical infrastructure of other countries that originate in their own territory. As with all GGE norms, this one is voluntary as well; in practice, there may be a number of reasons why its implementation could be limited. For instance, states may react only, rather than try to prevent attacks, or they may excuse themselves by claiming not to know that cyber-attacks have been conducted. The EU and its partners believe that due diligence should be a binding obligation (both in cyberspace and beyond), following the International Court of Justice judgement in Corfu case (1949), and warn that not adhering to it may result with countermeasures by the attacked country. Russia and its allies, on the other hand, oppose due diligence as an obligation in general, and only approve what has been agreed upon by the GGE.

How can state responsibility in cyberspace be applied? 

While all of the norms stated in the 2015 GGE report (Art. 13) have been approved by the UN GA both in a subsequent resolution and in the resolution that established the OEWG – which signals the agreement of major actors at least – the challenge on how to enforce them remains. There is also the question of who should be in the driver’s seat for enforcement – the GGE, the OEWG, and/or regional organisations (see below)? It is likely that the GGE will focus on mapping the components required for the implementation of existing norms.

Additional norms

Are more norms needed at the moment? Or should the focus be placed on the implementation of existing ones? Both the 2015 GGE report and the resolution that established the OEWG provide the space for the development of additional norms over time. Some of the options raised by different parties – with evident divergence in their positions – include norm proposals by the Global Commission on Stability of Cyberspace such as protecting the public core of the Internet, preventing injury to civilians, mitigating effects during incidents, and protecting electoral systems, as well as norms related to the effects of artificial intelligence (AI) on security, fake news, and disinformation, the protection of core Internet infrastructure as public goods, and cybercrime issues, among others.

To what extent should the GGE and the OEWG work on issues beyond their mandate?

Should the GGE and the OEWG deal with issues that do not fall within their mandates directly, but have an impact on their work? While there is a broad agreement on the existing 2015 GGE norm (Art. 13e) related to the protection of human rights, freedom of expression, and privacy, and even preserving the free flow of information which was added to the resolution that established the OEWG (art. 2), other issues may come to the table:

•  
• The right and duty of states to combat the dissemination of false and distorted news, and the obligation of states to abstain from defamatory campaigns, vilification, or hostile propaganda – understood as interference in internal affairs – were officially brought up by the resolution that established the OEWG. This call was introduced by Russia and its allies, which states the importance of ensuring the credibility of information and combating fake news. The USA and its allies, on the other hand, believe that these issues fall under a different legal framework – one related to the freedom of speech – and opt for distinguishing between the security of networks and policing content, as well as between human nature and state-on-state interference on freedoms, and suggest that combating fake news should be addressed through public-private partnerships with the Internet industry.
• Internet governance, particularly in its narrow definition as critical Internet resources (DNS and IP management), as well as combating crime and terrorism, were particularly excluded from the related UN negotiations in the closing clauses of the 2015 GGE report, by suggesting that the UN should lead, but not duplicate efforts undertaken on crime and terrorism, human rights, or Internet governance; the resolution that established the OEWG, however, does not re-affirm this clause.
• Both the 2015 GGE report and the resolution that established the OEWG agree on the norm that requires states to co-operate in combating crime and terrorism. While the USA and its allies oppose further discussions on the matter within the OEWG, Russia and its allies might find space for the OEWG to take up their resolution on countering the use of ICT for criminal purposes – adopted by the UN GA in 2018 – in order to build momentum for an overarching international Code of Conduct for Cyberspace.
• Supply chain security has been raised by several states – in particular China, Iran, and India – which may include states sustaining non-discriminatory business environments, upholding unrestricted ICTs development and research, not exploiting their dominant position (resources, technologies, services, and infrastructure) at the cost of the security and stability of other countries, and defining the responsibilities of the private sector for securing supply chains and not misusing monopolistic powers.
• The security of elections has been high on the agenda of global discussions recently. While some western states might consider raising this as a possible norm, it may become a slippery slope for discussions, as it combines the security of voting infrastructure and the voting environment (including content-related issues such as social media and fake news).

Confidence building measures

While the GGE has agreed on a set of CBMs, a major break-through was made by regional organisations, in particular the OSCE. The main open question is: Who should be in the driver’s seat in the further development and implementation of CBMs – the GGE, the OEWG, and/or the regional organisations? Russia, for instance, believes that the OEWG should develop a set of CBMs that unifies the existing ones developed on the regional level, and thus take over this work from them. The USA and its allies, on the other hand, believe that regional organisations should continue being the primary driver in the development and implementation of CBMs.

Capacity building

Capacity building is the third pillar of the international framework in development. There is general agreement over the importance of capacity building, and the GGE report as well as regional organisations have suggested particular focus in this regard. The main open questions relate to: How to implement capacity building measures, what platforms are to be used, and who should pay for this; what form should this take; who should the target group(s) be (i.e. policy-makers primarily, or also other stakeholders, such as industry and the technical community), and how to avoid duplication of efforts in capacity building?

Other stakeholders

There is broad agreement that the involvement of the private sector in particular, but also academia and civil society, is beneficial. The open questions are: What the roles and responsibilities of the other stakeholders should be (in this regard, the Geneva Dialogues have provided some guidelines) and how to ensure communication with and between them, as well as their effective involvement?

Roles of the GGE and the OEWG 

One of the main stumbling blocks in the initial phase is who should do what: What should be the focus of the GGE and of the OEWG, respectively? The resolutions that have established the two bodies have defined their broad mandates: Both the OEWG and the GGE are to work on norms, CBMs, and the applicability of international law to cyberspace. The OEWG is also to discuss establishing regular institutional open-ended dialogue within the UN. The two bodies are to, in particular:

• The OEWG: According to Russia and its allies, the OEWG should revisit the GGE reports with all 193 states; develop further CBMs and discuss their effectiveness and implementation; establish a permanent entity under the auspices of the UN to discuss cyber issues in the future; and develop a draft resolution(s) related to cybersecurity, possibly to be adopted in 2021. The US and its allies, however, see the main role of the OEWG as enabling other states – particularly those that were not part of the GGE process – to better understand the existing normative framework for responsible behaviour that was developed by the GGE, as well as to define the capacity building needs of states and other stakeholders in order to implement existing norms and CBMs. They believe that the development of CBMs should remain the task of regional organisations, while the main venue for future dialogue should also be left to regional organisations, as well as multistakeholder processes like the Paris Peace Forum, IGF, and others.
• The GGE: The USA and its allies opt for looking into more technical issues on the implementation of the existing normative framework, and in particular, resolving open issues on how international law applies to cyberspace, as well as ways to enforce the implementation of existing norms.

With the OEWG and GGE mandates coming to a close in March 2021 and May 2021 respectively, the UN First Committee approved two resolutions. The first, sponsored by the USA, states that the UN GA will consider the outcomes of the OEWG and the GGE at the conclusions of those processes and will decide thereafter on any future work. The second, sponsored by Russian Federation, states that the OEWG 2021-2025 shall start its activities upon the conclusion of the work of the current OEWG and shall hold its organisational session in 2021.

Cyber-diplomacy web discussion: Cyber-diplomacy web discussion: Norms and confidence building measures (CBMs): Are we there yet?

Cyber-diplomacy web discussion: Traceability and attribution of cyber-attacks: Who did it?

Cyber-diplomacy web discussion: Applicability of international law to cyberspace: Do we know the rules of the road?

Cyber-diplomacy web discussion: Cyber-armament: A heavy impact on peace, economic development, and human rights

Geneva Dialogue on Responsible Behaviour webinar: What is the role of the private sector towards a peaceful cyberspace?

Geneva Dialogue on Responsible Behaviour webinar: What is the role of civil society and communities towards a peaceful cyberspace?

Geneva Dialogue on Responsible Behaviour webinar: What is responsible behaviour in cyberspace?

Study: Towards a secure cyberspace via regional cooperation

Online course: Cybersecurity policy and international affairs

Geneva Dialogue on Responsible Behaviour: Output document