OEWG’s fifth substantive session: the highlights

The group discussed its annual progress report (APR).

 Flag

The UN Open-Ended Working Group (OEWG) on security of and the use of information and communications technologies 2021–2025 held its fifth substantive session in July 2023. On the agenda: adopting the annual progress report (APR). 

As the chair astutely noted:

‘Gaps remain on a number of issues and there is no way to finesse a gap in substantive positions. Our discussions will have to continue to build understanding to find solutions to the gaps, differences in positions and these differences are deeply held. And some of the differences have been held not just this week, not just this past 12 months, but for the last 20 years or more. So it’s challenging to try and bridge differences over overnight drafting process for issues that have eluded consensus for the last 25 years’.

During this session, the crux of the issue was that Russia and like-minded countries were disappointed by the inclusion of language and human rights, international humanitarian law, and the overemphasis on gender issues. Despite the apparent disagreement of like-minded delegations, such contentious topics should not have been incorporated without achieving a consensus. Also, the concept of a UN Convention on International Information Security was not mentioned.

Among palpable tensions, the APR was, in the end, adopted.

Threats 

New expected consensual additions were praised by most countries, including the reference to the use of ICTs in current conflicts and the inclusion of ransomware despite the latter not being considered relevant by some countries during previous sessions.

Regarding critical infrastructures, South Korea’s proposal to add the energy sector to the list of sectors of peculiar concern was supported by many states. It made it to the final report, whereas the proposal to add financial institutions went unheeded. Finally, while China and Kazakhstan resisted the reference to malicious ICT activities targeting humanitarian organisations, it still made it into the APR.

Old disputes: data security

As an item listed in the OEWG mandate, China, supported by Syria, requested the group to have a more focused discussion on data security. The Netherlands, followed by several other states (e.g. Malaysia, Croatia, the UK, New Zealand, Belgium), expressed concerns regarding this reference as ‘it is not clear how this impacts international security’ and proposed referencing it in para. 14, along with the potential impact of new emerging technologies. While Australia suggested reverting to the language of the 2021 report on the issue, the USA requested the deletion of that reference as ‘it could be interpreted as elevating the issue’ along with other issues perceived as more critical. Similar criticisms were addressed to the references to misinformation, disinformation and deepfakes.

Outcome: These contentious references do not appear in the APR.

Were there any concrete proposals?

Most of the new proposals were watered down or did not make it into the APR. Among them, Kenya’s proposal for a threat repository received support from many delegations that expressed interest in furthering discussions on the issue. However, Austria, the UK, and Mexico recommended that this proposal be moved to the CBM section, as echoed by the USA. The latter, supported by Chile, expressed concerns related to this initiative duplicating other technical forums among practitioners (such as CERT to CERT channels). Nicaragua, on behalf of Belarus, Burundi, China, Cuba, North Korea, Iran, Russia, Syria and Venezuela, strongly opposed the proposal and described it as a tool for the politicisation of ICT security issues. At the same time, Cuba added that ‘it could be used for false attributions or accusations for political ends’.

Outcome: This proposal didn’t reach the APR, threat, or CBM sections.

Many delegations also expressed their concerns regarding the impact of the development of new technologies (notably AI, quantum computing and cloud technology) on cybersecurity. New Zealand, South Africa, the Netherlands, Czech Republic, Ireland, Croatia, Singapore, Vietnam, Belgium and Bangladesh also supported the proposal to hold an intersessional meeting dedicated to these emerging technologies. The USA and Russia opposed this, arguing that several UN initiatives on emerging technologies (such as the GGE on LAWS) already cover these issues. Austria recommended having a focused discussion on how these technologies affect cyber specifically. Finally, Colombia, supported by Fiji, proposed a meeting where states victims of cyberattacks could share their experiences, lessons learned, protocols and best practices.

Outcome: Any reference to these new technologies was deleted from the report. A less focused intersessional meeting ‘on existing and potential threats to security in the use of ICTs’ with relevant experts’ participation was recommended as the next step.

What did stakeholders say?

Stakeholders emphasised the crucial role of non-governmental actors in comprehending and addressing threats that disproportionately affect vulnerable groups. They also highlighted the significance of these actors in ensuring that the efforts of the OEWG encompass a gender perspective, amplify youth voices, and work towards bridging the digital divide in both low and high-income countries.

The proposal presented by Colombia and other delegations garnered widespread support for its aim to facilitate the contributions of non-governmental stakeholders in the proposed repository of threats. Furthermore, stakeholders highlighted the value of information exchange and incident response that extends beyond the state level. These stakeholders can function as trusted intermediaries, offering insights into incidents that attack common civil society targets like human rights defenders and journalists, thereby contributing to more effective countermeasures.

Specific recommendations put forth by stakeholders included the addition of energy and water facilities as critical infrastructure in the Threats section of the APR proposed by Hitachi America. Additionally, Safe PC Solutions called for the inclusion of emerging security threats related to 5G broadband technologies. Moreover, Access Now stressed the need for a concrete acknowledgement of the cyber threats and capabilities against humanitarian actors and human rights defenders.

Rules, norms and principles

Old disputes: implementation vs development

The existing fault lines in opinions resurfaced again. In the section on norms, most member states have supported the implementation of the 11 existing voluntary norms before exploring the need for additional norms. According to these member states, the development of new norms is premature. On the other hand, Russia, China, Cuba, and others consider focusing on implementing existing norms to be outside of the mandate of the OEWG and think that the development of additional norms and new legally binding obligations should be the main agenda of the OEWG.  

Some states were not satisfied with the level of emphasis put on implementation: for instance, Australia suggested that in the section on rules, norms and principles para 23 f) notes that states stressed the need for further focus discussions on implementing the rules, standards, and principles of responsible state behaviour in the use of ICTs, adding the word ‘implementing’ to the original phrasing.

Many states emphasised the importance of the private sector in the integrity, stability, and security of supply chains and cyberspace, which is now reflected in Art. 23e) of the APR. Other discussions related to critical infrastructure, critical information infrastructure, and the safety and integrity of supply chains (Art. 23 c), d) APR).

A group of states also resurrected the proposal to establish a voluntary glossary of national definitions of technical ICT terms, which was declined by most states as they needed more consensus. Suggestions were made to include this glossary as part of CBMs.

A new debate – glossary of terms

This time, states disagreed over a new topic – a glossary of terms. Some states (e.g. Switzerland, the UK, New Zealand, South Africa, etc.) did not support the proposal and asked to remove this from the progress report. They argued that states could more usefully continue to share national policies and their statement on international law and threat information. Some countries (e.g. Kazakhstan and Iran) disagreed with deleting this proposal.

A new proposal – substantiation of accusations

Russia suggested supplementing the section on norms with the provisions that accusations of wrongful acts with the use of ICTs brought against states must be substantiated, and that computer incident response must not be politically motivated.

OutcomesThe final wording of the APR (Art. 23 f)) includes a focus on implementing norms to which the opposing states agreed in the spirit of goodwill and compromise. A mention of the possibility of future elaboration of new legally binding obligations within OEWG found its place in Art. 29 b) I and in Art—32 of the APR, with a footnote referring to a proposal. The reference to the glossary of the terms has been removed from the final draft.

What did stakeholders say?

Stakeholders highlighted the importance of developing a norms checklist with a comprehensive and coordinated approach to capacity development and the significance of regional-level implementation by leveraging regional organisations’ expertise.

International law

The statements at the session clearly reflected that over the past year, the member states have advanced in explaining their positions and clarifying their points of disagreement on both norms and international law, thus making drafting the APR language more challenging.

Discussion on international law has built upon the intersessional meeting in May 2023. There are two key opinions present

Most states reaffirm that international law, including the UN Charter, applies in cyberspace. This group proposed to deepen the discussion on how international law applies (Art. 30 of APR) and focus on sovereignty and sovereign equality, due diligence, respect and protection of human rights. The proposals within this group of states also included a direct reference to Art. 2(3), Art. 2(4) and Art. 33 of the UN Charter (Art. 30 a)-c) APR) and international humanitarian law’s applicability (Art. 29 b) ii APR). 

Another group of states insists on discussing a new legally binding instrument to regulate the state’s behaviour in cyberspace (Art. 29 b) i APR). The proposal by Argentina and South Africa to involve the International Law Commission in the discussions on the applicability of international law to cyberspace did not find support.

There were, however, proposals that have found support from all across the board – on the need to hold dedicated inter-sessional meetings on how international law applies to cyberspace (Art. 35 APR) and on capacity building in international law (Art. 36 APR).

Which were old disputes?

Russia and Iran noted that the report needs more references to formulate a legally binding instrument, with Iran stating that para 32 contains a weak reference, which they found insufficient. China requested that para 32 be deleted, or that additional wording be added under the section on Norms accordingly. Estonia, on behalf of Australia, Colombia, El Salvador and Uruguay, proposed an alternative language to article 32 of Rev 2: States discuss the need to consider whether any gaps exist in how existing international law applies in the use of ICTs and whether further to consider the possible development of additional legally binding obligations if appropriate. The USA, New Zealand, and Switzerland supported this edit.

Para 32: Noting the possibility of future elaboration of additional binding obligations, if appropriate, States discussed the need to consider whether any gaps exist in how existing international law applies in the use of ICTs and further consider the development of additional legally-binding obligations. 

Australia suggested changing the word ‘norms’ to ‘obligations’ in para 30 because the word ‘norms’ in the original text is used in the context of this OEWG, slightly differently from how it is often used in international law. Many delegations, such as South Korea, Switzerland, Japan, and Austria, supported this edit. The USA called new references to norms in the international law section ‘muddying of waters.’

Are there any new debates?

At the same time, states shared disagreements on human rights in the progress report: Germany first proposed adding the reference to human rights, and several countries (e.g. Switzerland, the EU and its member states, New Zealand, etc.) supported this proposal. Another group of like-minded States (Russia, Iran, China, Cuba, etc.) shared that they were “disappointed” by the inclusion of language on human rights in the final text. These countries argued that IHL and the overemphasis on gender issues should not have been incorporated without achieving consensus. 

Were there any concrete proposals?

States discussed the proposal for conducting an intersessional on international law, and the Netherlands and Mexico proposed to broaden the list of relevant briefers (in para 33) so the OEWG can benefit from the expertise of stakeholders, including from regional and sub-regional organisations, businesses, NGOs, and academia. Some countries (e.g. the UK, Switzerland, Croatia) strongly supported this proposal.

Concerning the same para 33, South Africa proposed amending the language and replacing ‘developing a common understanding of the applicability of international law” to “better inform the OEWG’s deliberations’, arguing that States should not be forced and the OEWG should let the conversation about the applicability of the international law develop in a bottom-up manner.

Australia stressed that it does not support reference to the UN Secretariat compiling national views, noting this would be a duplication of existing efforts, such as those undertaken by UNIDIR. 

Outcomes

Both formulations ‘norms’ and ‘objectives’ have been removed from para 30 of Rev 2.

What did the stakeholders say?

Stakeholders reinstated the centrality of IHL and human rights in discussions on international law as applied to cyberspace and the importance of stakeholders in helping contextualise norms to their local and national contexts by developing and contributing to working papers, guidance and checklists. 

ICT for Peace Foundation urged further discussion on how peaceful settlement of disputes, state responsibility for incidence and state response options principles would translate to ICT in cyberspace.

CBMs

Are there any new debates?

Regarding the POCs, Russia expressed the view that the global intergovernmental POCs directory should become the “centrepiece in organising interaction of countries in response to computer attacks/incidents”. In this regard, Russia considered it inappropriate to limit cooperation between POCs to incidents with possible implications for international peace and security. Instead, the interaction between PoCs should be built on an ongoing basis, regardless of the significance of a computer incident. On the other hand, Switzerland noted that the PoCs network will complement the work of CERTs and CSIRTs in cases of ICT incidents with possible implications for international peace and security.

An unsolved issue is the nature of PoCs, which will be nominated for the directory. India noted that states should remain flexible on having multiple technical or operational POCs. India suggested the integration of the POC Directory Module with the Global Cyber Security Cooperation Portal – a mechanism proposed earlier by the Indian delegation. Ghana recommends that this nomination be made at a technical, policy, and diplomatic level due to the differences in capacities.

What did the stakeholders say?
In the context of track 2 processes, stakeholders encouraged delegations to partner with the private sector. These informal dialogues serve as a means to establish or re-establish mutual trust among involved parties. Furthermore, these dialogues are crucial in aiding states in co-creating a comprehensive set of CBMs.

Capacity building

Which were old disputes?

Iran notes that their recommendation for creating a new capacity-building mechanism under the UN has been disregarded. Instead, the focus solely revolves around enhancing coordination among existing mechanisms, which Iran cannot support.

Some states (e.g. Indonesia, Vietnam, and the Netherlands) supported considering gender perspective in capacity building. In contrast, a group of like-minded states such as Russia, Cuba, China, Venezuela, Nicaragua, Iran and others have not supported adding the gender-related wording. Iran and Russia wanted gender removed from the report, and Iran specifically wanted para 43 A, which relates to preparing a survey to identify countries’ needs regarding gender equality in the field of ICT security, removed.

Are there any new debates?

Indonesia proposed to connect the mapping of capacity building programmes to the implementation of the frameworks’ recommendations. The USA strongly supported it, while some states (e.g. Australia, Japan, and New Zealand) raised concerns about resources in conducting such a mapping. The USA and Japan, in particular, called for the making of most of the existing capacity-building efforts undertaken by other international organisations such as ITU. The Netherlands said that the text is missing the sub-regional aspects and proposed that it be added to reflect efforts from the regional level. The EU shared the same view and suggested that the UN could encourage and serve as a platform to enhance the implementation of the UN agreements and stipulate capacity building in this context, including cooperation with the multistakeholder community. Egypt believed the progress report should not refer to specific regional or sub-regional organisations. Australia disagreed and stressed the importance of mentioning concrete organisations, such as the GFCE. Hungary shared the view that while mapping is needed to coordinate better the efforts of the growing number of donors and implementers, the UN could undoubtedly play a complementary role. Still, other stakeholders have their roles to play.

What did the stakeholders say?

Stakeholders emphasised the significance of regional and cross-regional formats for sharing best practices and identifying capacity building needs to align these with national, regional, and international conferences.

Stakeholders also underlined the importance of mainstreaming Capacity Building Principles into capacity building efforts. The organisation Developing Capacity mentioned the opportunity of doing this at the Global Conference on Capacity Building in Ghana next November.

Finally, a concrete proposal was made by the ICC in the name of 21 other stakeholders to add language that explicitly states that the OEWG should consider how cybersecurity considerations and good practices can be integrated into future digital development projects.

Regular institutional dialogue

Which were old disputes?

To PoA or not to PoA

The division among delegations was stark, splitting Cuba, Iran, Pakistan, Syria and Russia on one side and the EU, the USA, Korea, France, and other Western democracies on the other. The critical point of contention lay between those favouring the Program of Action (PoA) and those advocating for equal consideration of all country proposals.

Cuba and Iran were proponents of inclusivity, urging the incorporation of all future mechanism proposals into the report. Russia voiced concerns about the existing draft, arguing that the section on regular institutional dialogue was biassed in favour of the PoA. Syria asserted that prioritising the PoA gave the impression of broad consensus, contrary to the working group’s mandate to consider various security initiatives. Syria also noted that discussions revealed differing viewpoints on the effectiveness of the PoA and recommended evaluating it before any definitive steps.

Conversely, the US strongly criticised these states’ push for an authoritarian revision of the consensus framework, pointing out that their proposal lacked substantial backing and had been repeatedly dismissed over the years. They maintained that proposals should only be included in the report if they garnered significant support.

Portugal and Korea also supported the PoA, citing its considerable support under the UN’s umbrella, referencing broad approval from member states through General Assembly resolution 7737.

The EU emphasised that the PoA could enhance transparency, credibility, and sustainability in decision implementation.

Finally, China introduced a potential compromise, suggesting compiling common elements from various positions and proposals to reduce differences and find convergences. They emphasised the importance of a balanced representation of all parties’ positions in the report.

Legally binding vs deletion of 49 C (bis)

Pakistan, Iran and Russia advocated for the work of the future mechanism to be based on the recommendations of the OEWG and the possibility of crafting a legally binding ICT instrument within that framework.

However, several delegations, including Belgium, Korea, the EU, the USA, and Japan, among others, supported France’s proposal to remove paragraph 49 C bis due to concerns about incorporating language about a legally binding instrument. Korea viewed such an instrument as premature and suggested the deletion of 49 C bis, aligning with the perspectives of other countries like the EU, the USA, Japan, and France, that if it were included at all, it should be under the international law section. Vietnam also deemed paragraph 49 C inappropriate in acknowledging diverse views and ideas discussed in the working group, echoing the language from the 2021 OEWG report.

State-led vs intergovernmental

Similarly, the block of Russia, Syria and China supported the proposals made by Cuba and Iran, among other countries, to change state-led to intergovernmental regarding fifth paragraph 53. Conversely, Western democracies defended the state-led nomenclature.

Are there any new debates?

A new debate about the consensus in the future regular institutional dialogue emerged:  France noted that para 56. should not prejudge that the decision-making processes in the future mechanism will be consensus-based. Australia and Austria supported France’s suggestion. Iran said that paragraph 56 does not reflect the need to pay attention to a step-by-step negotiation approach. The USA noted that para 56 is too prescriptive – states do not need to agree by consensus on establishing a future mechanism for regular institutional dialogue, as the General Assembly does not require it. Austria supported this view.

Were there any concrete proposals?

The IPS forum (India, Brazil and South Africa) proposed a comprehensive institutional dialogue mechanism encompassing crucial aspects of the ICT environment, including trust-building and deeper discussion on aspects lacking common understanding. This mechanism should be intergovernmental, open, inclusive, transparent, flexible, and action-oriented, operating by consensus to prevent stagnation while avoiding a potential veto power.

Vietnam suggested that the future mechanism should build upon the efforts of GGE and OEWG, as indicated in paragraph 51. In the same paragraph, Bangladesh proposed this mechanism should have a multistakeholder approach. Numerous countries advocated for dedicated intersessional meetings to delve into specific discussions and elaborate on the modalities of the PoA. 

The US proposed inserting a new paragraph 49 b, highlighting discussions on UNGA resolution 7737. This resolution supports a new Program of Action for responsible state behaviour in cyberspace, including an SG report on scope, structure, and content, to be discussed at the OEWG after release in July 2023. 

France, the EU, and the US proposed that the APR reflects the SG report and intersessional meeting outcomes regarding the POA’s modalities. Additionally, the UN Secretariat was requested to brief the OEWG during the OEWG’s sixth session about the POA’s scope, content, and structure.

The Philippines underlined the importance of addressing the gender digital divide in future dialogues, alongside promoting meaningful participation and leadership of women in future decision-making mechanisms. In a complementary vein, Nigeria proposed incorporating responsible state behaviour and an online child protection mechanism, aligning with efforts to combat online gender exploitation. Australia recommended embedding these proposals as a fundamental principle within paragraph 51. While not in Section G of the final APR draft, the gender perspective is mentioned in the Threats and Capacity Building sections.

Outcomes
To settle divergence on the proposals for the future mechanism, the APR reflects other proposals made for regular institutional dialogue while highlighting the progress made in discussing the PoA (para 52b). The wording on the future permanent mechanism followed the compromise suggested by China. As an initial step to building confidence and convergence, States will propose some common elements that could underpin the development of any future mechanism for regular institutional dialogue (para 53).  This approach aims to build consensus while maintaining discourse on the suggestions highlighted in subparagraphs 52(a) to 52(b). 
Other noteworthy aspects integrated into the APR encompassed focused dialogues on the relationship between the PoA and OEWG and acknowledgement of the relevance of previous OEWG and GGE work (paragraph 55c), both proposals made by Vietnam. Additionally, paragraphs 52, ‘an open, inclusive, transparent, sustainable and flexible process’ and 52a, ‘understanding in areas where no common understandings have yet emerged’, reflected the suggestions made by the IPS forum. Additionally, the engagement of various stakeholders, including businesses, NGOs, and academia, was recognised as pertinent, so Bangladesh’s proposal was included in paragraph 57. The proposal on dedicated intersessional meetings to continue discussions on the PoA received broad support. It was included in paragraph 58 with the amendment ‘to further discuss proposals on regular institutional dialogue, including the PoA.’As per the proposal by the US, there was no mention of UNGA resolution 7737. However, the Secretariat was still requested to brief the OEWG at its sixth session on the report of the Secretary-General submitted to the General Assembly at its seventy-eighth session.

What did the stakeholders say?

Stakeholders supported the proposals that the future permanent mechanism should be multistakeholder. Access Now proposed discussions on the PoA would benefit from even further openness and planning around how stakeholders can contribute.