OEWG’s ninth substantive session: Limited progress in discussions
The OEWG held its ninth substantive session in December 2024, where states continued to discuss threats, norms, international law, CBMs, capacity building and the mechanism that will follow the OEWG 2021-2025.

The UN Open-Ended Working Group (OEWG) on the security of and in the use of information and communications technologies in 2021–2025 held its ninth substantive session on 2-6 December 2024.
During the session, states outlined cooperative measures to counter cyber threats, continued discussions on possible new norms, tried to reach additional layers of understanding on the international law, discussed elements of the future permanent mechanism, discussed CBMs implementation and the POC Directory operalisation, deliberated the development and operationalisation of the Global Portal on Cooperation and Capacity-Building and the Voluntary Fund, and debated about the shape of the UN mechanism that will succeed the OEWG 2021-2025.
While there was consensus on certain broad goals, contentious debates highlighted deep divisions, particularly regarding the applicability of international law, the role of norms, and the modalities of stakeholder participation.
Some of the main takeaways from this session are:
- The threat landscape is rapidly evolving and with it, the OEWG discussions on threats, including measures to counter those threats.
- The discussion on norms backslides into old disputes, namely the implementation of existing norms vs the development of new norms, in which states hold their old positions. However, the discussion is not entirely static, as many proposals for new norms have emerged.
- While the discussions on international law have deepened, and the states have presented very detailed views, there is still no agreement on whether new legally binding regulations for cyberspace are needed.
- The discussions on CBMs included numerous practical recommendations pertaining to CBM implementation, the sharing of best practices and the operationalisation of the POC directory.
- Opinions differ on several issues regarding capacity building, including specific details on the structure and governance of the proposed portal, the exact parameters of the voluntary fund, and how to effectively integrate existing capacity-building initiatives without duplication.
- States disagreed on the scope of thematic groups in the future mechanism: while some countries insist on keeping traditional pillars of the OEWG agenda (threats, norms, international law, CBMs and capacity building), others advocate for a more cross-cutting and policy-oriented nature of such groups. The modalities of multistakeholder engagement in the future mechanism are also in the air. The agenda for the next meeting of the OEWG in February 2025 will likely be inverted, and delegations will start with discussions on regular institutional dialogue to ensure enough time is dedicated to this most pressing issue.
Threats: A rapidly evolving threat landscape
Discussions on threats have become more detailed – almost one-fourth of the session was dedicated to this topic. The chair noted that reflection of the rapidly evolving threat landscape, but also signals a growing comfort among states in candidly addressing these issues.
What’s particularly interesting about this session is that states have dedicated just as much—if not more—time to discussing cooperative measures to counter these threats as they have to outline the threats themselves.
Threats states face in cyberspace
Emerging technologies, including AI, quantum computing, blockchain, and the Internet of Things (IoT), took centre stage in discussions. Delegates broadly acknowledged the dual-use nature of these innovations. On one hand, they offer immense developmental potential; on the other, they introduce sophisticated cyber risks. Multiple states, including South Korea, Kazakhstan, and Canada, highlighted how AI intensifies cyber risks, particularly ransomware, social engineering campaigns, and sophisticated cyberattacks. Concerns about AI misuse include threats to AI systems (Canada), generative AI amplifying attack surfaces (Israel), and adversarial manipulations such as prompt injections and model exfiltration (Bangladesh).
Nations including Guatemala and Pakistan stressed the risks of integrating emerging technologies into critical systems, warning that without regulation, these systems could enable faster and more destructive cyberattacks.
Despite the risks, states like Israel and Paraguay recognised the positive potential of AI in strengthening cybersecurity and called for harnessing its benefits responsibly. Countries like Italy and Israel called for international collaboration to ensure safe and trustworthy development and use of AI, aligning with human rights and democratic values.
Ransomware remains one of the most significant and prevalent cyber threats, as multiple delegations highlighted. Switzerland and Ireland flagged the growing sophistication of ransomware attacks, with the rise of ransomware-as-a-service lowering barriers for cybercriminals and enabling the proliferation of such threats. The Netherlands and Switzerland noted ransomware’s profound consequences on societal security, economic stability, and human welfare. Countries including Italy, Germany, and Japan emphasised ransomware’s disruptive impact on critical infrastructure and essential services, such as hospitals and businesses.
Critical infrastructure has become an increasingly prominent target for cyberattacks, with threats stemming from both cyber criminals and state-sponsored actors. Essential services such as healthcare, energy, and transportation are particularly affected. However, the EU, along with countries such as the Netherlands, Switzerland, and the USA, have also raised concerns about malicious activities disrupting essential services and international organisations, including humanitarian agencies.
Countries such as Ireland, Canada, Argentina, Fiji and Vanuatu have raised alarms about the rising number of cyber incidents targeting these critical subsea infrastructures. These cables are vital for global communication and data transfer, and any disruption could have severe consequences. Ireland called for further examination of the particular vulnerabilities and threats to critical undersea infrastructure, the role of states in the private sector in the operation and security of such infrastructure, and the application of international law which must govern responsible state use and activity in this area.
Germany and Bangladesh highlighted the role of AI in automating disinformation campaigns, scaling influence operations and tailoring misinformation to specific cultural contexts. Countries such as China, North Korea and Albania noted the rampant spread of false narratives and misinformation, emphasising their ability to manipulate public opinion, influence elections, and undermine democratic processes. Misinformation is weaponised in various forms, including phishing attacks and social media manipulation. Misinformation and cyberattacks are increasingly part of broader hybrid threats, aiming to destabilise societies, weaken institutions, and interfere with electoral processes (Albania, Ukraine, Japan, Israel, and the Netherlands). Several countries, including Cuba, Russia, and Bangladesh, stressed how cyber threats, including disinformation and ICT manipulation, are used to undermine the sovereignty of states, interfere in internal affairs, and violate territorial integrity. Countries like Israel and Pakistan warned of the malicious use of bots, deepfakes, phishing schemes, and misinformation to influence public opinion, destabilise governments, and compromise national security. Bosnia highlighted the complexity of these evolving threats, which involve both state and non-state actors working together to destabilise countries, weaken trust, and undermine democratic values.
Cyber operations in the context of armed conflict are no longer a novel concept but have become routine in modern warfare, with enduring consequences, according to New Zealand. Similar observations were made by countries such as the USA, Germany, Albania, North Korea and Pakistan. A worrisome development was brought forth by Switzerland, which noted the involvement of non-state actors in offensive actions against ICTs within the framework of armed conflict between member states.
Countries are also increasingly concerned about the growing sophistication of hacking-as-a-service, malware, phishing, trojans, and DDoS attacks. They are also concerned about the use of cryptocurrencies for enhanced anonymity. Israel also highlighted that the proliferation and availability of advanced cyber tools in the hands of non-state actors and unauthorised private actors constitute a serious threat. The proliferation of commercial cyber intrusion tools, including spyware, is raising alarm among nations like Japan, Switzerland, the UK and France. The UK and France emphasised that certain states’ failure to combat malicious activities within their territories exacerbates the risks posed by these technologies. Additionally, Kazakhstan warned about advanced persistent threats (APTs) exploiting vulnerable IoT devices and zero-day vulnerabilities.
Cuba rejected the militarisation of cyberspace, offensive operations, and information misuse for political purposes. They called for peaceful ICT use and criticized media platforms for spreading misinformation. The UK emphasised states’ responsibilities to prevent malicious activities within their jurisdiction and to share technical information to aid network defenders. Russia warned against hidden functions in ICT products used to harm civilian populations, calling for accountability from countries enabling such activities. Columbia suggested that states which have been the victims of cyberattacks could consider the possibility of undertaking voluntary peer reviews, where they would share their experiences, including lessons learned, challenges, and protocols for protection, response, and recovery.
Cooperative measures to counter threats
Most countries noted the role of capacity building in enabling states to protect themselves. The EU called for coordinated efforts to capacity building and for more reflection on best practices and practical examples. Capacity-building initiatives should align with regional and national contexts, Switzerland and Kazakhstan noted, focusing on identifying vulnerabilities, conducting cyberattack simulations, and developing robust measures, Kazakhstan noted. Columbia highlighted that states should express their needs for capacity building to adequately identify the available supply. Malawi and Guatemala advocated for capacity building, partnerships with international organisations, and knowledge-sharing between governments, the private sector, and academia. Albania emphasised the importance of UN-led training initiatives for technical and policy-level personnel.
The discussions highlighted the urgent need to bridge the technological divide, enabling developing countries to benefit from advancements and manage cyber risks. Vanuatu emphasised the importance of international capacity-building and cooperation to ensure these nations can not only benefit from technological advancements but also manage the associated risks effectively. Zimbabwe called for the OEWG to support initiatives that provide technical assistance and training, empowering developing nations to build robust cybersecurity frameworks. Cuba reinforced this by advocating for the implementation of technical assistance mechanisms that enhance critical infrastructure security, respecting the national laws of the states receiving assistance. Nigeria stressed the importance of equipping personnel in developing countries with the skills to detect vulnerabilities early and deploy preventive measures to safeguard critical information systems.
States also noted that the topic of threats must be included in the new mechanism. Mexico proposed creating a robust deliberative space within the mechanism to deepen understanding and foster cooperation, enhancing capacities to counter ICT threats. Sri Lanka supported reviewing both existing and potential ICT threats within the international security context of the new mandate. Brazil suggested the future mechanism should incorporate dedicated spaces for sharing threats, vulnerabilities, and successful policies. Some countries gave concrete suggestions for thematic groups on threats under the new mechanism. For instance, France highlighted that sector-specific discussions on threats and resilience could serve as strong examples for thematic groups within the future mechanism. Colombia called for a standing thematic working group focused on areas like cyber incident management, secure connectivity technologies (e.g., 5G), and policies for patching and updates. Singapore emphasised using future discussions to focus on building an understanding of emerging technologies and their governance. Egypt advocated for a flexible thematic group on threats within the mechanism, capable of examining ICT incidents with political dimensions.. New Zealand recommended focusing discussions on cross-cutting themes such as critical infrastructure, enabling states to better understand and mitigate threats. Cuba echoed the importance of the future permanent mechanism taking into account the protection of critical infrastructure, and underscored the importance of supporting developing countries with limited resources to protect critical infrastructure.
Delegations highlighted the Global Point of Contact (POC) Directory as a key tool for enhancing international cooperation on cybersecurity. Ghana, Argentina and Kazakhstan emphasised its role in facilitating information exchange among technical and diplomatic contacts to address cyber threats. South Africa proposed using the POC Directory for cybersecurity training and sharing experiences on technologies like AI. Chile stressed that the POC Directory can play a central role in the for improved cyber intelligence capacity and coordinated responses to large-scale incidents. Malaysia called for broader participation and active engagement in POC activities.
Several countries emphasised the importance of strengthening collaboration among national Computer Emergency Response Teams (CERTs). Ghana and New Zealand supported CERT-to-CERT cooperation, with Ghana calling for sharing best practices. Nigeria suggested creating an international framework for harmonising cyber threat responses, including strategic planning and trend observation. Singapore highlighted timely and relevant CERT-related information sharing and capacity building as key to helping states, especially smaller ones, mitigate threats. Fiji prioritised capacity building for CERTs.
Several nations, including Argentina, Sri Lanka, and Indonesia, called for establishing a global platform for threat intelligence sharing. These platforms would enable real-time data exchange, incident reporting, and coordinated responses to strengthen collective security. Such mechanisms, built on mutual trust, would also facilitate transparency and enhance preparedness for emerging cyber challenges. Switzerland voiced support for discussing the platform but also noted that exchanging each member state’s perception of the identified threats can happen through bilateral, regional, or multilateral collaboration forums, or simply by making a member state’s findings publicly accessible.
Egypt noted that there must also be discussions on both the malicious use of ICT by non-state actors, as well as the role and responsibilities of the private sector in this regard.
Countries like El Salvador and Ghana underscored the importance of integrating security and privacy by design approaches into all stages of system development, ensuring robust protections throughout the lifecycle of ICT systems.
Norms: New norms vs norms’ implementation
The discussions on norms highlighted once again the division of states on binding vs voluntary andell as the implementation of existing norms vs the development of new norms.
The chair invited all delegations to reflect on how states can bridge the divides if the discussion on new norms means that states are not prioritising implementation and if states can do both. The chair reminded stakeholders that ideas for new norms have come from delegations, but also from stakeholders. He also added that some of the delegations have said it’s too late to discuss new norms because the process is concluding (e.g. Canada); However, he reminded that when states began the process, some of the delegations also said it’s too early to get into a discussion because it’s important to focus on implementation. The chair concluded by noting that ‘it’s never a good time and it’s always a good time’.
First of all, the main disagreement was over binding vs voluntary norms as well as implementation of existing norms vs development of new norms. Some states, including Zimbabwe, Russia, and Belarus, advocate for the development of a legally binding international instrument to govern ICT security and state behaviour. They argue that existing voluntary norms are insufficient to address emerging threats.
However, the discussion also served as a platform for new proposals from delegations to achieve a safe and secure cyber environment.
Some states also proposed specific new norms to address emerging challenges:
- El Salvador suggested recognising the role of ethical hackers in cybersecurity.
- Russia proposed several new norms, including:
- The sovereign right of each state to ensure the security of its national information space as well as to establish norms and mechanisms for governance in its information space in accordance with national legislation.
- Prevention of the use of ICTs to undermine and infringe upon the sovereignty, territorial integrity and independence of states as well as to interfere in their internal affairs.
- Inadmissibility of unsubstantiated accusations brought against states of organising and committing wrongful acts with the use of ICTs including computer attacks followed by imposing various restrictions such as unilateral economic measures and other response measures
- Settlement of interstate conflicts through negotiations, mediation, reconciliation or other peaceful means of the state’s choice including through consultations with the relevant national authorities of states involved.
- Belarus suggested new norms which could include the norm of national sovereignty, the norm of non-interference in internal affairs, and the norm of exclusive jurisdiction of states over the ICT sphere within the bounds of their territory.
- China noted that new norms could be developed for data security, supply chain security, and the protection of critical infrastructure, among others.
In addition to this, some states proposed amending or enhancing the existing norms:
- EU would like to see greater emphasis on the protection of all critical infrastructures supporting essential public services, particularly medical and healthcare facilities, along with enhanced cooperation between states. The EU also wants a priority focus on the critical infrastructure norms 13F, G and H.
- El Salvador proposed strengthening privacy protections under Norm E, which Malaysia, Singapore and Australia supported.
- UK suggested a new practical action recommending that states safeguard against the potential for the illegitimate and malicious use of commercially available ICT intrusion capabilities by ensuring that their development, dissemination, purchase, export or use is consistent with international law, including the protection of human rights and fundamental freedoms under Norm I, which Canada, Switzerland, Malaysia, Australia, France supported.
- Kazakhstan proposed:
- adding a focus on strengthening personal data protection measures through the development and enforcement of comprehensive data protection laws to safeguard personal data from unauthorized access, misuse, or exploitation under the norm E
- emphasising the importance of conducting international scenario-based discussions that simulate ICT-related disruptions under Norm G
- establishing unified baseline cybersecurity standards will enable all states, respective of their technological development, to protect their critical infrastructure effectively under Norm G
- promoting ethical guidelines for the development and use of technologies such as AI under Norm K
- Canada suggested adding text under norm G: ‘Cooperate and take measures to protect international and humanitarian organizations against malicious cyber activities which may disrupt the ability of these organizations to fulfill their respective mandates in a safe, secure and independent manner and undermine trust in their work’
In contrast, other states such as the US, Australia, UK, Canada, Switzerland, Italy and others opposed the creation of new binding norms and highlighted the necessity to prioritise the implementation of the existing voluntary framework.
In between these two polar opposites, there were states who favoured a parallel development arguing that the implementation and the development of new norms can proceed simultaneously. These states were Singapore, China, Indonesia, Malaysia, Brazil, and South Africa.
Egypt questioned if states need to discuss enacting a mix of both binding and non-binding measures to deal with the increasing and rapid development of threats, as well as suggested that states might consider developing a negative list of actions that states are required to refrain from.
Japan called for a priority to focus on the implementation of the norms in a more concrete way. Russia called for the same, and suggested that states present a review of their compliance with national legislation and doctrinal documents with the rules, norms, and principles of behaviour in the field of international information security (IIS), which has been approved by the UN. Russia submitted its review of national compliance with the agreed norms.
International law: applicability to use of ICTs in cyberspace
More than fifty member states delivered their statements in the discussions on international law, which included several small and developing states that have previously not done so.
The discussions highlighted the diverse national and regional perspectives on the application of international law, especially the Common African Position on the application of international law in cyberspace, and the EU’s Declaration on a Common Understanding of International Law in Cyberspace. Tonga, on behalf of the 14 Pacific Island Forum member states, presented a position on international law affirming that international law, including the UN Charter in its entirety, is applicable in cyberspace. Fiji, on behalf of a cross-regional group of states that includes Australia, Colombia, El Salvador, Estonia, Kiribati, Thailand, and Uruguay has recalled a working paper that reflected additional areas of convergence on the application of international law in the use of ICTs.
As mentioned by Canada, Ireland, France, Switzerland, Australia, and others, these statements build momentum at the OEWG in building common understandings on international law, as over a hundred states have individually or collectively published their positions.
Applicability of international law to cyberspace
Despite the many published statements and intensified discussions, the main major rift between the states persists. On the one hand, the vast majority of the member states call for discussions on how international law applies in cyberspace and do not see the reason to negotiate new legally binding regulations. On the other hand, some states want to see the development of new legally binding regulations (Iran, also recalling requests by the countries of the Non-Aligned Movement, Cuba on behalf of the delegations of the Bolivarian Republic of Venezuela, Nicaragua, as well as Russia, China, Pakistan).
The majority of the states addressed the need to emphasise the applicability of international humanitarian law in the cyber context (EU, Lebanon, the USA, Australia, Poland, Finland, Republic of Korea, Japan, Malawi, Egypt, Sri Lanka, Brazil, South Africa, the Philippines, Ghana, and others) recalling the Resolution on protecting civilians and other protected persons and objects against the potential human cost of ICT activities during armed conflict adopted by consensus at the 34th International Conference of the Red Cross and Red Crescent as a major step forward in international armed conflicts.
EU, Colombia, El Salvador, Uruguay, Australia, Estonia, and others expressed regret that the APR3 did not include a reference to the international humanitarian law and called for it to be included in the final OEWG report.
Other topics
The states also shared what topics in international law shall be discussed in more detail. State responsibility, sovereignty and sovereign equality, attribution and accountability were the most mentioned topics. The member states differed in their opinions on whether the topic of international law and norms should be discussed in the future mechanism within one thematic track or not.
On capacity building in international law, scenario-based exercises received overwhelming support, with Ghana and Sierra Leone recalling the importance of South-South cooperation and regional capacity-building efforts.
One of the main deciding factors for the future of discussions on international law will certainly be the future permanent mechanism if the states decide to establish under said mechanism a dedicated group which will discuss international law. That would allow states to keep a status quo until the end of the OEWG’s mandate and defer the issue to the next mechanism.
CBMs: Implementing the CBMs and operationalising the POC directory
This session was marked by noticeable activity in the CBM domain – from both developed and developing states – with the organisation of substantial side events and dedicated conferences as well as cross-regional meetings throughout the year. The letter sent by the chair in mid-November channelled pragmatic discussions and the session was marked by numerous practical recommendations pertaining to CBM implementation, the sharing of best practices and the operationalisation of the POC directory.
A new dynamic concerning CBMs is emerging, now that additional CBMs no longer appear to be a concern. It is likely that the further implementation of CBMs will rely on capillarity. First, from the general CBM implementation point of view, capillarity is expected through the sustained commitment from states to share best practices in a cross-regional way, as shown in the inter-regional conference on cybersecurity organized by the Republic of Korea and North Macedonia, bringing together the OSCE, OAS, ECOWAS and African Union. Second, new levels of participation in the POC directory have been specifically linked to such initiatives and to more general capacity-building to which states are highly recommended to contribute.
CBMs implementation and sharing of best practices
Whereas the guiding questions provided by the chair were oriented towards the implementation of existing CBMs, few new CBMs and measures were nevertheless proposed and not extensively picked up nor discussed by most delegations. The well-worn question of shared technical terminology was brought back to the table solely by Paraguay, and Thailand mentioned an additional measure about CERT-to-CERT cooperation. Finally, Iran proposed a 9th CBM considering the facilitation of access to the ICT security market with the view to mitigate potential risks in the supply chain. El Salvador and Malaysia recommended the inclusion of voluntary identification of critical infrastructure and critical information infrastructure to the CBM 7 current phrasing.
Focusing on implementation, Switzerland shared an OSCE practice called ‘Adopt-a-CBM’ in which individual or several states adopt a CBM and are committed to its implementation and recommended that CBMs 2, 5, 7 and 8 would be suitable for this approach. Kazakhstan also advised something similar in focusing on specific CBMs and engaging with individual states to promote them. Indonesia and El Salvador displayed numerous ways to foster the implementation of CBMs, among which the importance of shared practices that could fuel guidelines as practical reference for member states.
A substantive engagement by various states was noted, especially about the sharing of specific practices pertaining to each CBMs. Whereas most of these practices are usually confined to regional frameworks, it is noticeable that numerous states have densely exchanged best practices at an ever more global level through the application of CBM 6 about the organisation of workshops, seminars and training programs with inclusive representation of states (Germany, Korea, Peru, Fiji and the UK) and CBM 2 about the exchanging of views and dialogue from bilateral to cross-regional and multilateral levels (Germany, Peru, and Moldova). Consequently, some states also shared their application of CBM 5 about the promotion of information exchange on cooperation and partnership between states to strengthen capacity-building (Korea, Peru). More specific best practice exchange on the protection of CI and CII (CBM 7) was also noted to be undertaken by several states (Malaysia, Fiji, and the UK). Finally, CBM 8 on the strengthening of public-private sector partnership and cooperation was also fostered by several states (Korea, Albania, and the UK).
POC directory operationalisation
At the time of the 9th substantive meeting, 111 countries had joined the POC directory. Most states sharing insights on ways to increase participation suggested raising awareness through workshops, webinars and side events (for instance, Albania and Kazakhstan). At this level of participation, it is reasonable to think that any increase in participating states should be considered a matter of capacity-building (South Africa).
Still, some states already started sharing their experience with the use of the POC and the feedback could not be more contrasted. On the one hand, Russia stated that it already had problems when cooperating on incident response through the POC directory given that some contacts did not work and some technical POCs had too limited powers which left them unable to respond to notifications. Consequently, it recommended that the determination of the scope of competence of each of the POC should be the first priority task, only supported by Slovakia. On the other hand, France shared that it had received several demands of communications since the creation of the POC and that it answered positively to all of them. Russia and China urged other states to actively use the POC directory; France nevertheless advocated not to exploit and overuse the tool at the risk of making it inoperable.
Lines of division nevertheless sometimes fade and the one about the template question was definitely less stark than last session, considering that few states expressed their reluctance to build such a template (Switzerland and Israel). Contributions nevertheless ranged from general opinion about the format of the template to the very detail of its content. Most delegates advocated for flexible and voluntary templates (Indonesia, Malaysia, Singapore, Thailand, the Netherlands and Paraguay). This framing was justified as enabling a better accommodation of different institutional frameworks as well as local and regional concerns (Brazil, Thailand, the Netherlands, and Singapore). All states nevertheless reasserted the necessity for the template to be as simple as possible for either capacity-building and resource constraints (Kiribati and Russia) or emergency reasons (Brazil, Paraguay, and Thailand). South Africa, supported by Brazil, proposed that the template should at a minimum provide a brief description of the nature of assistance sought, details of the cyber incident, acknowledgement of receipt by the requested state and provide indicative response timeframes. Indonesia added to this list the response actions taken, the requests for technical assistance or additional information and the emergency contacts options. Finally, Kazakhstan notably suggested numerous examples of templates each dedicated to various scenarios such as incident escalation, threat intelligence, CBM reporting, POC verification, capacity-building, cross-border incident coordination, annual reporting and lessons learned. The Secretariat is still expected to produce such a template by April 2025 and the chair expressed its intention to have standardised templates as an outcome of the July report.
Capacity building: Trust fund and Global Cyber Security Cooperation Portal
(GCSCP)
(GCSCP)
As usual, capacity building is one of the topics where there is a high level of consensus, albeit in broad strokes. There isn’t a single delegation denying the importance of capacity building to enhance global cybersecurity. However, opinions differ on several issues, including specific details on the structure and governance of the proposed portal, the exact parameters of the voluntary fund, and how to effectively integrate existing capacity-building initiatives without duplication. It is expected that the OEWG will continue to speak about these issues at length in order to have concrete details in its July 2025 Annual Progress Report (APR) and to allow the future mechanism to dive deeper into capacity building.
During the December session, delegations discussed the development and operationalisation of the Global Portal on Cooperation and Capacity-Building. Most delegations envisioned the portal as a neutral, member-state-driven platform that would adapt dynamically to an evolving ICT environment, integrating modules like the needs-based catalogue to guide decision-making and track progress as well as Kuwait’s latest proposal to add a digital tool module to streamline norm adoption. On the contrary, Russia expressed concerns over the exchange of data on ICT incidents through the portal, stating that such data is confidential data and could be used to level politically motivated accusations.
The session also discussed the creation of a Voluntary Contribution Fund to support capacity building in the future permanent mechanism. South Africa and other delegations highlighted the need for clearly defined objectives, governance, and operational frameworks to ensure the fund’s efficiency and transparency. Monitoring mechanisms were deemed essential to guarantee alignment with objectives. Delegates broadly agreed on avoiding duplication of efforts, emphasising that the portal and the fund should complement existing initiatives such as the UNIDIR cyber policy portal, the GFCE civil portal, and the World Bank Cyber Trust Fund, rather than replicate their functions or those of regional organizations.
Further deliberations addressed the timing of the next High-Level Global Roundtable on capacity building. The roundtable’s potential overlap with the 2025 Global Conference on Cyber Capacity Building in Geneva presented scheduling challenges, prompting consideration of a 2026 date. Discussions on UNODA’s mapping exercise revealed mixed views: while it highlighted ongoing capacity-building efforts, many felt it inadequately identified gaps, leading to calls for a yearly mapping exercise.
Finally, multistakeholder engagement emerged as a contentious issue, with Canada and the UK criticising the exclusion of key organisations like FIRST and the GFCE from formal sessions. Delegates called for reforms to ensure broader, more inclusive participation from non-governmental and private sector entities essential to global cybersecurity efforts.
Regular institutional dialogue: Thematic groups and multistakeholder participation
During the last substantive session in July 2024, states adopted the third Annual Progress Report (APR) which contained some modalities of the future regular institutional dialogue (RID) mechanism. One substantive plenary session, at least a week long, will be held annually to discuss key topics and consider thematic group recommendations. States decided that thematic groups within the mechanism would be established to allow for deeper discussions. The chair may convene intersessional meetings for additional issue-specific discussions. A review conference every five years will monitor the mechanism’s effectiveness, provide strategic direction, and decide on any modifications by consensus.
At the December 2024 substantive session, states continued discussing the number and scope of dedicated thematic groups and modalities of stakeholder participation.
Thematic groups in the future mechanism
There was a general divergence between states regarding the scope of thematic groups. Russia, Cuba, Iran, China, and Indonesia insisted on keeping traditional pillars of the OEWG agenda (threats, norms, international law, CBMs and capacity building). However, the EU, Japan, Guatemala, the UK, Thailand, Chile, Argentina, Malaysia, Israel, and Australia advocated for a more cross-cutting and policy-oriented nature of such groups.
France and Canada gave suggestions in that vein. France suggested creating three groups that would discuss (a) building the resilience of cyber ecosystems and critical infrastructures, (b) cooperation in the management of ICT-related incidents, and (c) prevention of conflict and increasing stability in cyberspace. Canada suggested addressing practical policy objectives, such as protecting critical infrastructure and assisting states during a cyber incident, including through focused capacity building. The USA suggested the same two groups and highlighted that the new mechanism should maintain the best of the OEWG format but also allow for more in-depth discussion via the cross-cutting working groups on specific policy challenges.
The chair noted that the pillars could help organise future plenary sessions and that cross-cutting groups do not have to signal the end of pillars.
Some states asked for a dedicated group on the applicability of international law (Switzerland, Singapore), but Australia objected. Also, states proposed a dedicated group to create a legally binding mechanism (Cuba, Russia, Iran, South Africa, Thailand). Israel suggested having rotating agendas for thematic groups to keep their number limited.
Multistakeholder participation in the future mechanism
One issue that the OEWG has been struggling with from the start is modalities of multistakeholder engagement. The extent and nature of stakeholder participation was an issue at this session as well. The EU called for meaningful stakeholder participation without a veto from a single state. Canada proposed an accreditation process for stakeholders while emphasising that states would retain decision-making power. Mexico proposed creating a multistakeholder panel to provide inputs on agenda items and suggested considering the UN Convention on Climate Change model for stakeholder participation. Israel suggested adopting stakeholder modalities similar to the Ad Hoc Committee on Cybercrime. In contrast, Iran and Russia argued for maintaining current OEWG modalities, limiting stakeholder participation to informal, consultative roles on technical matters.
A number of questions remain open, the Chair noted. For instance, is there a need for a veto mechanism for stakeholder participation in the future process? If yes, is there a need for an override mechanism, or a screening mechanism? Is there a need for identical modalities for stakeholder participation in different parts of the future process?
As for the timing of meetings, states also expressed concerns that sessions are too lengthy and that attending numerous thematic sessions and intersessionals will be burdensome for small state delegations. The option to turn some of them into hybrid/virtual meetings was also criticised because states miss the opportunity for in-person interaction onsite. Another way to condense all the activities in 2-3 weeks at once also causes problems as there will be no room for reaching any agreement without properly consulting capital.
Argentina and South Korea asked for a report on the budget implications of the specialised groups, other mechanism initiatives, and the secretariats’ work.
Finally, Canada, Egypt, the USA, the Philippines, New Zealand, the UK, Malaysia, Switzerland, Izrael, Colombia, and Czechia expressed the wish to dedicate more time to discuss the next mechanism at the beginning of the next substantive session. At the same time, Brazil, Argentina and South Africa suggested spending the entire February session on this issue.
What’s next?
As the end of the mandate approaches, with only one more substantive session scheduled in February 2025, the pressure for progress in multiple areas is mounting.
So far, CBMs and capacity building remain the most uncomplicated topics to discuss and are just waiting to be operationalised. In fact, the OEWG’s schedule for the first quarter of 2025 includes the Global POC Directory simulation exercise and an example template for the Global POC Directory, as well as reports on the Global Ict Security Cooperation And Capacity-Building Portal and the Voluntary Fund.
The discussion on threats has deepened, maintaining momentum despite occasional tensions between geopolitical rivals.
However, the discussions on norms and international have been static for quite some time, with deeply entrenched views not budging. RID is currently the most pressing issue if states want to hit the ground running and not get tangled in red tape at the beginning of the next mechanism.
To expedite discussions on RID, the Chair will put together a discussion paper and make it available to delegations well before the next substantive session in February 2025. The chair will also likely schedule an informal town hall meeting before the February session to hear reactions.
Interested in more OEWG? Visit our dedicated page: