The final session of the UN Open-Ended Working Group on ICTs will consider the progress made over four years of negotiations amid what has been a difficult period for international peace and security. While States have achieved notable progress across the framework, competing proposals on the future permanent mechanism leave the outcome uncertain. Avoiding deadlock is key, but the costs for the international community and stakeholders alike remain uncertain.
Cyber norms revive antagonism but international law leaps forward
As the UN Open-Ended Working Group on ICTs (OEWG) heads into its final session in July, the step-by-step progress on reaching common understandings, alongside some very tangible and practical outputs, is palpable. Yet, key divides persist. The tensions are best exemplified by the long-standing issue of norms implementation versus creating new norms or, as some States argue, the need for legally binding commitments. Formulated in the UN Group of Governmental Experts (GGE) report in 2015, cyber norms are a critical pillar of the framework of responsible State behaviour in cyberspace. The changing threat landscape and constant violation of these norms by some countries at the same time prompt reflections on potential revisions. Three considerations arise from these realities––whether norms are technology-agnostic or technology-specific; whether new norms need to be elucidated; and whether proposals for legally binding commitments or a new treaty would improve the state of international peace and security.
Norms are dynamic and reflect expectations about what is responsible and acceptable behaviour in cyberspace, and these expectations may change over time. However, norms regulate behaviour rather than technology. Developments in emerging technologies such as artificial intelligence and quantum computing do not change the substance of responsible behaviour epitomised in cyber norms. Proposals to further expand the norms can sometimes be accommodated under the guidance text on norms operationalisation, or by further detailing obligations such as not damaging critical infrastructure and ensuring ICT supply chain security. Furthermore, new norms can be identified with greater clarity as States advance the implementation of existing commitments. Finally, while several proposals have been mentioned in the interventions, and no other more persistently than China’s proposal to develop norms on data security, no single proposal has received wider traction. The Chair’s Voluntary Checklist for cyber norm implementation follows this rationale by providing a roadmap for practical implementation of existing norms and will seek consensus in July to be annexed in the Group’s final report.
The adequacy of existing cyber norms has been challenged by a small group of countries led by Russia, and including Iran, Nicaragua, Venezuela, Cuba, and a few others, which have repeatedly expressed a belief that legally binding commitments, preferably as part of a new convention, are necessary as opposed to politically binding norms. While more substantial commitments, potentially introduced in a new treaty, may sound like an action-oriented step, four considerations show it is quite the opposite of what the international community needs. First, starting to negotiate a new commitment or a treaty would effectively undermine the existing framework, which was negotiated in six rounds of GGEs, and deliberated in times when States showed strong support for rules-based order as a precondition for peace and security. Secondly, this proposal is vocally supported by two out of the four most sanctioned countries for their irresponsible behaviour in cyberspace––Russia and Iran, with the silent support of the other two––China and North Korea. Third, there is no certainty that a “binding treaty” or binding obligations would lead to greater compliance by countries. Some of the same States that routinely violate existing cyber norms despite their political commitments, also violate binding treaties in non-cyber areas and accountability remains elusive. Finally, despite several years of circulating the proposal, it has not received traction or attracted more co-sponsors.
The proposal also undermines the application of international law in cyberspace with a claim that these existing frameworks are not sufficient for cyberspace. Though how existing international law applies in cyberspace remains an open question, international law is an area of responsible State behaviour that has received increased attention and made leaps forward over the past couple of years. In December, the EU published a declaration on the common understanding on the application of international law to cyberspace representing the voice of twenty-seven Member States, while reiterating that international law is fit for purpose in the digital age. A common understanding of how international law applies in cyberspace has been achieved in a breadth of areas covered by this document, including State sovereignty, non-intervention, due diligence, prohibition of the use of force, and State responsibility. The European Union declaration further reiterates that international humanitarian law applies to cyber operations in the context of armed conflict, including the prohibition of attacks directed at civilians, civilian objects, and critical civilian infrastructure.
Each national and regional statement on how international law applies in cyberspace advances the global baseline and helps develop common understandings on this question. With the African Union’s statement published in January 2024, and existing national positions, more than half of UN Member States now have an individual or joint position on international law in cyberspace. Many more States have published detailed interventions and signed on to joint cross-regional statements, including a common paper on the application of international humanitarian law to the use of ICTs in situations of armed conflicts co-sponsored by thirteen countries and the recent paper on the convergence areas of the application of international law in the use of ICTs sponsored by fourteen countries to be considered for inclusion in the final report. The recent progress made on the common understandings of obligations under international law, including the UN Charter, international humanitarian law, international human rights law, and law of State responsibility, clearly demonstrates that cyberspace is a regulated arena.
Seeking consensus on how international law applies in cyberspace is one of the most consequential discussions at the OEWG. Several countries proposed specific text for the Group’s final report, demonstrating an appetite across regions to provide additional layers of understanding to the application. Many others have stressed the benefits of capacity-building programmes based on scenario-based discussions on the applicability of international law, such as those organised by UNIDIR. Academic projects on the application of international law to cyber operations, including the Oxford Process, the Tallinn Manuals, and the Cyberlaw Toolkit by the International Committee of the Red Cross, which comprises concrete cases on how international law applies in cyberspace, alongside comprehensive regional and national positions, have contributed to an emerging consensus on these issues.
Building cyber capacity responsibly with a gender lens
Capacity building on cyber matters takes on many forms to support operationalisation and implementation of the framework and increase cyber resilience. While many ideas for UN portals have been circulated throughout the OEWG, namely India’s proposal to establish an all-encompassing portal that includes capacity-building, Kenya’s proposal for a threat repository, and Kuwait’s proposal on a norms implementation portal––all struggle to receive wider traction. In part because stakeholders have already taken the lead in this area, such as the Cybil Portal on capacity building and a clearing house operationalised by the Global Forum on Cyber Expertise and UN mechanisms that can be productively leveraged, such as the Cyber Policy Portal by the UN Institute for Disarmament Research (UNIDIR). Instead of centralising these action-oriented ideas under the UN, such proposals should be considered for their projected efficiency and seek to avoid duplication.
One proposal that has gained traction is the creation of a voluntary fund established by the OEWG to be operationalised under the UN Office for Disarmament Affairs (UNODA). The fund is foreseen to take on several functions, but questions loom over the efficiency of the funding and its distribution. For example, the fund aims to financially support representatives from developing countries to attend the sessions, while raising their capacity to engage in cyber diplomacy. However, long-running programmes such as the Women in Cyber Fellowship sponsored by the governments of the United States, Australia, Netherlands, Canada, New Zealand, the United Kingdom, and Germany already fulfil this function and have been hailed as successful models. Largely thanks to the fellowship, the OEWG discussions have reached gender parity. As reported by Australia, of the three hundred and five substantive interventions during the latest session, hundred sixty-nine were delivered by women, accounting for fifty-five percent of all interventions––well in excess of the norm in UN security proceedings. To further build capacity on cyber diplomacy, the UNIDIR and UNODA launched an updated Cyber Diplomacy e-course and the EU Cyber Direct Initiative published a Handbook for the Practice of Cyber Diplomacy.
Capacity building is not the only avenue for advancing gender diversity and gender-sensitive cybersecurity. Norms especially have faced increasing calls to consider the impacts that malicious cyber activities have on women. A new working paper drafted and co-sponsored by thirty-seven countries brings concrete proposals for strengthening gender commitments across the framework, with particular relevance for the future permanent mechanism. Among other measures, the paper proposes steps to address gender in the Chair’s Checklist on Norm Implementation and calls on States to support the participation of civil society organisations working on gender equality and cyber security. These recommendations highlight that gender mainstreaming does not stand alone and advances other necessary and complementary principles such as transparency, participation, and inclusiveness.
Programme of Action gains momentum and China enters the race
Two proposals drove the OEWG discussions on the future mechanism in the past years––the Programme of Action driven by France and the proposal for a continued OEWG spearheaded by Russia. In the last stretch of the negotiations, China entered with their own proposal in support of a single-track mechanism. While the Chinese proposal is detailed in its schedule for dedicated plenary meetings to be convened per year during a biennial cycle, it takes a magnifying glass to see any divergence from the Russian proposal. The Chinese proposition also disregards expanded stakeholder participation and thematic groups that would work across the framework. The only substantive difference between Russia and China is refraining from an open call for new legally binding commitments. In comparison, France, supported by the European Union and many other co-sponsors, put forward a proposal for three action-oriented thematic groups to meet cyber challenges in the future Programme of Action, with a cross-cutting approach focused on building the resilience of cyber ecosystems and critical infrastructure cooperation in the management of cyber incidents, and increasing stability in cyberspace. The cross-cutting dedicated thematic groups would take an action-oriented approach with briefings by experts, discussion on relevant best practices and States’ capacity needs, and a focus on specific policy challenges.
Canada and Chile have co-ordinated a working paper to enable stakeholders to add value to States’ engagement in the future UN mechanism. This initiative gathered twenty-five countries advocating for an improved accreditation process. The inclusiveness of OEWG discussions has long been a dividing point, and obstructed substantive discussions when the current OEWG launched. Russia, which has vetoed a vast majority of entities compared to other countries, has been supported by a small group of States that propose to maintain the status quo. According to the current modalities, States have a veto power to unilaterally decide on accreditation of applying entities, and to do so in secrecy. The Canada-Chile working paper aims to change the rules. It would allow States to object to specific applicants but request a vote in plenary to decide on the final accreditation. This would effectively create an exception in this consensus-driven process as the current situation has become unsustainable. It allows stakeholder modalities to be used as a bargaining chip to the detriment of meaningful progress on substantive discussions. If agreed upon, this proposal would put an end to the politicisation of participation modalities in the future mechanism.
While the proponents of these competing visions are trying to garner the support of other Member States, the Chair will circulate a zero draft of the future permanent mechanism in May. The key question is whether States can agree on the successor in the final report. A failure to do so would pave the way for a vote in the UN First Committee and potentially split the process into two tracks. However, a broad agreement remains that the Group’s mandate must not only continue but deepen and become more impactful. Despite its many shortcomings, the future mechanism is a unique opportunity to set the stage for long-term progress on international peace and security in ICT matters in the years to come, even if that progress is slow, incremental, and uneven. For now, the uncertainty surrounding the potential of reaching a consensus outcome and the cost of such an agreement for stakeholders are a cause for concern.
Thumbnail image credits: @theblowupphoto on Unsplash.
