Key takeaways from the December OEWG intersessional

19 Dec 2019

By Sheetal Kumar and Lea Kaspar

On December 2-4, GPD was in New York for the intersessional meeting of the Open-Ended Working Group on developments in the field of ICTs in the context of international security (OEWG). This was a precedent-setting meeting—with registration for these discussions on international peace and security in cyberspace open to all non-state actors for the first time in UN history. 

Unsurprisingly, the three day event saw strong turnout from these non-state actors, with over one hundred stakeholders from civil society, ICT companies, the tech community, universities, and think tanks. It also saw greater than expected attendance from UN member states, who numbered almost one hundred—although most states were in “listening mode”, with fewer taking the floor to make statements or react to interventions from the other side of the aisle. 

GPD’s interventions (soon to be published on the UN meetings website) made the case for a human-centric and rights-based approach to cyber threats, emphasising the important and varied roles civil society can play, and the need for discussions to be more open, inclusive and transparent. We also submitted a formal contribution to the meeting, which can be read here.

The discussions at the intersessional in many ways mirrored the first substantive session of the OEWG—though the multistakeholder nature of this meeting meant that a greater number of proposals and recommendations were put forward to deal with the challenges and issues that were raised. The inflection points on areas of agreement and disagreement were broadly similar to those that came up in the September meeting; though a few interesting new themes emerged. We unpack these in more detail below.


Emerging new themes

The importance of a human-centric and rights-based approach to cyber threats ran through a number of interventions, and was also noted in the Chair’s brief summary at the end of the meeting. There was also a clear message about the need to recognise the role of all stakeholders in implementing the recommendations of the 2015 UN Group of Governmental Experts (GGE) Report, including with reference to capacity building, confidence building measures (CBMs), and norms—a point which was conspicuously absent in the previous meeting. 

A number of stakeholders also noted that the multistakeholder approach could be seen as a CBM in and of itself—building on a point made in the September meeting about the OEWG and its more “open discussions” helping to forge greater trust and cooperation among actors.


Areas of agreement carried over from the September session

As in September, there was seemingly unanimous agreement on the importance of tailored capacity building, although some statements from the floor did signal that this could be interpreted differently by actors. 

There was, again, agreement on the need to move forward with implementing the recommendations of the 2015 GGE report, including the 11 non-binding norms, and even on some of the challenges faced—such as the lack of accountability for violations of the norms, and challenges in attributing cyber attacks. Proposals were put forward to deal with these challenges, including an annual state peer review mechanism for assessing state compliance with the norms, and an independent attribution centre (currently a project of ICT4Peace Foundation and Georgia Tech). As discussed below, the disagreement is not on whether to implement the recommendations—but rather, how

In the run up to the intersessional, GPD also contributed to a joint multistakeholder submission, coordinated by the UK government, which highlighted examples of good practice when it comes to the role of stakeholders in norm implementation. 

(Note: for a fuller analysis and unpacking of the development of norms within the GGE framework, see our new brief).


Areas of disagreement carried over from the September session

There were a wide range of opinions on what constitutes a cyber threat, with disinformation mentioned by a number of stakeholders, and—as in September—a lack of agreement on whether threats emanating from state or non-state actors should be the focus of discussions. It was again pointed out that certain types of activities—such as the use of ICTs by non-state actors for criminal activity—are already discussed elsewhere in the UN by other bodies. However, the question of how feasible it is to continue to separate these discussions remains central, particularly because states can (and do) use non-state actors as proxies in their cyber operations.

As in September, the question of how to move forward with the recommendations from the 2015 GGE Report remained a key point of tension. A number of states support the call for a binding treaty, while others say it’s too early for a treaty, and that voluntary implementation of norms (along with the rest of the recommendations) is sufficient. It was also suggested that a third “parallel” track could be possible—where some norms are made binding at the international level, and others not. This was left open, and it’s not currently clear how that would work or how agreement on what should be binding and what shouldn’t be could be reached. 

The intersessional meeting was useful in highlighting some of the areas where non-state actor views currently align with those of states. For example, while Microsoft supported the proposal for a binding treaty, a number of other actors—including many civil society groups—seemed to agree that voluntary implementation of the norms, with a greater focus on accountability, is currently the preferable option. 

The question of whether new norms should be adopted remains a notable area of contention. While there seemed to be agreement that the growing number of norm-building efforts parallel to the UN (e.g. the Global Commission on the Stability of Cyberspace, Paris Call, and various other private sector efforts) is a positive development, there was no consensus on a need for new norms. A suggestion for a norm against attacking nuclear weapon sites was put forward, while other norms (including the recently finalised GCSC norms) were also discussed and presented. One welcome point, picked up by the Chair in his summary, was a reference to the need for any new norms to be developed through a multistakeholder approach. 


Next steps and unanswered questions

Discussions concluded with a brief summary from the Singaporean Chair of the intersessional, David Koh, who observed that “cyber discussions are a team sport, which no one stakeholder group can deal with alone”, and reiterated a point made back in September: that, while there seems to be agreement on around 80 percent of issues, the remaining 20 percent is proving a sticking point. 

Shortly afterwards, there was a GGE consultation, followed by the first meeting of the GGE, where participation was restricted to its 25 member states. 

Looking ahead to the next substantive session of the OEWG in February, the Secretariat, along with UNIDIR, is currently developing the background papers requested during the September session. There were also a number of requests at both the September session and the intersessional to share information on capacity building efforts, with Koh seeming to signal that an effort would be made to respond to this request.

After February, the Chair of the OEWG, Jürg Lauber, will circulate a draft report to member states. Then, there will be two informal sessions (in April and May) and a final substantive session in July to finalise the report. Although Koh stated that “trust can only happen if there’s inclusive engagement”, as we write there is still no clarity around modalities for the participation of non-governmental stakeholders at either the February or July sessions. 

Rumours are that the OEWG could be renewed at the next session of the General Assembly in 2020, starting up work again the following year. But as we are months away from the final OEWG session—and with the GGE just starting—anything is possible.