Cyber norms update: takeaways from the GGE OAS regional consultation

23 Aug 2019

By Sheetal Kumar

Last week, the GPD cyber team attended the UN Group of Governmental Experts (GGE) regional consultation for the Americas. The meeting, which took place from 15-16 August in Washington DC, was organised by the Organization of American States (OAS) to coordinate input from stakeholders across the region into upcoming GGE discussions.

The GGE has been given a mandate to explore responsible state behaviour in cyberspace at the UN’s First Committee. For more context, see our explainer on the GGE and the parallel Open-Ended Working Group (OEWG) process here

This was the third of five planned GGE regional consultations (the EU and OSCE consultations took place in June; the ASEAN Regional Forum and AU consultations are coming in October). The purpose of these consultations is to broaden the discussion beyond the GGE’s membership, which is limited to 25 member states. The outcomes of the regional consultations are then meant to feed into upcoming GGE discussions, which will begin in December. 

The OAS regional consultation brought together representatives of countries across the region (including Argentina, Ecuador, Belize, Colombia, Chile, Brazil, Mexico, the US and Canada), as well as local civil society (including ADC from Argentina, Karisma Fundacion from Colombia, Derechos Digitales from Chile and R3D from Mexico). 

The consultation—which was preceded by a civil society information-sharing session, convened by the European Union Institute for Security Studies (EUISS) and the OAS—spanned two days in total. The first day was dedicated to gathering non-government stakeholder views (including civil society and the private sector), while the second gave OAS member states the chance to share their perspectives on the issues of the GGE’s mandate, and also included presentations from the ODA’s experts on the last GGE and the issues that are likely to shape the current GGE’s mandate. 

These key issues included: the breadth of the mandate of the GGE; the application of international law to cyberspace; the role of different stakeholders; and whether additional rules and norms were needed (beyond the existing voluntary ones from the last consensus GGE Report in 2015). 

Going into this consultation, we were primarily looking to get a sense of what member state positions were on the key issues. Here’s what we found:



  • The GGE’s mandate remains controversial. Should human rights be on the GGE’s agenda? Are policy issues like cybercrime and development part of its remit? These questions kept arising at the consultation, often posed by the OAS states which aren’t able to attend the GGE’s closed sessions, and they proved to be a sticking point for some key players (including the US and Canadian delegations, the Chairs of both the OEWG and the GGE, and the consultants who advise both processes) who expressed their preference for a narrow mandate focused on the core mandate of the first Committee—namely, international peace and security. If states get stuck in discussions about what should and shouldn’t form part of the mandate, this risks making progress on the thornier and more controversial issues less likely.
  • There’s “unfinished business” from the last GGE. The 2016-2017 GGE was dominated by disagreements over a range of key concepts in international law (see this DIPLO publication for a good overview). These divisions haven’t gone away, and were out in force at this consultation, with Mexico and Chile reiterating their support for the application of all “international law”, including international human rights and humanitarian law, to cyberspace. As Brazil pointed out, support for the application of international humanitarian law to cyberspace is not universal among GGE states.
  • There remains varied national capacity to engage in the discussions. Many countries at the consultation were new to GGE discussions, and are therefore only beginning to develop positions on the key issues. Of the OAS member countries present, only nine ended up giving remarks on the mandate and agenda of the GGE. Of these nine states, however, several did offer important substantive input—notably Chile and Mexico, who addressed the question of how sovereignty applies in cyberspace, and whether and when a cyberattack can reach the level of an armed attack. As the GGE resolution calls for all member-states to submit their views, it’s likely that more states will be developing positions over the next few months.
  • The role of non-government stakeholders remains contentious. Despite frequent references to the importance of engagement from academia, civil society and the private sector, commitment to the inclusion of non-governmental stakeholders varied among states, and there was wide support for multilateralism and a state-led process. On the other hand, there does seem to be agreement that discussions on responsible state behaviour in cyberspace need to include a greater diversity of member states, and could no longer remain the arena of discussion for a few countries: the Chair, along with the US representative, made continued pleas during the consultations for non-GGE member states to “have a voice” and develop positions on the key issues. 
  • Turning back on previous agreements is a no-go. Even if states may not be able to agree on the issues that should be discussed in the new GGE, there seemed to be agreement that “moving forward” with the implementation of the existing norms and recommendations should be a priority. The US proposed the setting up of a working group within the OAS, and indicated support for such a mechanism to promote the uptake of the recommendations. However, whether there is a need for additional norms and recommendations to be developed was clearly an area of disagreement. The frank references during the consultations to the “fraught political environment” of the previous GGE (which led to its failure to agree a report) was a reminder of how challenging the discussions will be over the next two years.



  • There will be a summary report from each of the the GGE regional consultations which will serve as an input into the GGE discussions. Note: it is unlikely that these will be made public ahead of the GGE discussions. 
  • Two regional consultations are still to be held ahead of the first GGE meeting, both in October: the ASEAN Regional Forum consultation which will be held during Singapore Cyber Week (1-3 October); and the AU regional consultation (11 October), during the annual meeting of the Global Forum for Cyber Expertise. The AU regional consultation is meant to include a short multistakeholder segment.
  • Some countries are also holding national level consultations. Among the OAS member states, Mexico will be conducting one with non-government stakeholders ahead of the GGE meeting in December.

For regular updates on developments at the First Committee, sign up to GPD’s monthly digest.