Reporting back from the second substantive OEWG meeting

24 Feb 2020

By Sheetal Kumar and Lea Kaspar

Earlier this month, GPD attended the second substantive session of the Open Ended Working Group (OEWG) in New York.

The purpose of the meeting—which ran from 10-14 February—was to continue discussion of the mandate of the OEWG and more specifically, the six main areas referred to in the OEWG’s UN resolution: 1) existing and potential threats in cyberspace 2), norms, rules and principles 3) the application of international law 4) regular institutional dialogue 5) confidence-building measures and 6) capacity building. 

The agenda also included a brief “informal intersessional for non-governmental organisations (NGOs)”, Unfortunately, as in September, the only NGOs able to participate were those accredited by the UN Economic and Social Council (ECOSOC). In the end, around 14 were accredited (out of the 44 in total who applied), although less seemed to be present at the meeting, and only five made statements on the third day of the meeting.

Apart from the agenda, a working paper had been provided by the Chair in advance of the meeting, with questions to guide the discussions. This proved useful and popular among the delegates, and might have helped spur the suggestion of a number of concrete proposals at this session (some of which we look at below). The meeting was relatively interactive, with delegations responding to each others statements and proposals—and ended on a positive but cautionary note, with the Chair noting that the hard work (of drawing up the report, and negotiating it) is still to come. There was also more engagement from developing countries in this session—particularly women, which was a very welcome development—although the most active and participating states were still disproportionately from the Western bloc.


Key themes from the meeting

  • An increasing number of states called for a “technologically neutral” approach to “threats” in cyberspace—focusing on the impact of technologies on peace and security and the behaviour of states, rather than specific technologies themselves. This is ostensibly to future-proof any recommendations, but may also help avoid a slippery slope discussion around regulation of specific technologies like AI. Still, a number of delegations continued to emphasise specific threats from emerging technologies—notably the internet of things—as well as threats from non-state actors, such as cybercrime and terrorism. On a positive note, there were references to the Freedom Online Coalition’s recent joint statement on cybersecurity from a range of delegations, emphasising the need for a human-centric and rights-based approach to the issues under discussion
  • As in September, there was seemingly unanimous agreement on the importance of tailored capacity building. However, moving the discussion forward, this session also saw proposals for the OEWG report to include principles of capacity building. There was no consensus on what those should be, with some pointing to the Global Forum on Cyber Expertise (GFCE)’s Delhi communique for inspiration, and others mentioning inclusivity, sustainability, and “political neutrality” as key. Others emphasised the need for capacity building to be “evidence-based”, and suggested linking the principles to the UN Sustainable Development Goals. 
  • There were a number of requests for the report to make links between the different discussion areas. One aspect particularly highlighted was the link between capacity building and international law—with delegates pointing out that a lack of capacity building among states hinders the evolution of understanding in how international law applies in cyberspace, and states’ ability to abide by their obligations.  
  • The session also featured substantive interventions into the discussion on international law, with some states taking the opportunity to share their positions on how certain principles of international law apply in cyberspace, express concern about their application, and highlight areas of disagreement—such as on self-defence and the use of countermeasures. As we discuss below, this unfolded amid a continuing lack of consensus on how best to operationalise the existing Group of Governmental Experts (GGE) agreements. In an attempt to foster greater clarity, Mexico suggested that the OEWG ask the International Law Commission to draft a report on the application of international law in cyberspace, but made clear that this shouldn’t be seen as an alternative to states publicly declaring their stances on how international law applies in cyberspace
  • Building on the September call for a global repository of capacity building initiatives, this session saw further calls for new repositories or databases, including on threats, international law and confidence building measures (CBMs). Among these, it was the idea of a repository on international law—possibly comprising resources on national positions, academic studies, for example—and another repository on both global and regional CBMs that gained the most support. There also seemed to be broad support for the OEWG operationalising a CBM by developing a “global points of contact” database (although whether this should be of “technical points of contact” or “diplomatic points of contact” was left open).


Areas of disagreement 

  • There continued to be disagreement about whether a treaty is needed for cyberspace. At this session, Brazil and India were much clearer about their support for a treaty, while South Africa declared itself as “occupying a middle ground”. Therefore, all the BRICS countries, as well as a few others, either fully support a treaty or are open to the discussion, whereas the Western bloc, and a number of countries from the Latin America region, oppose one. 
  • The discussion on norms also revealed a range of views on the sufficiency of the existing norms framework. The majority of delegates supported “deeper understanding” and implementation of the existing norms. Some—including Finland and New Zealand— while expressing caution did not rule out the idea of new norms in principle. Others, notably the US and Estonia seemed more rigid, stating there was no clear need for new norms.  
  • There was particular interest in the norms on critical infrastructure, with Singapore suggesting that they be expanded to include protections for supranational or transnational shared critical information infrastructure. The Netherlands suggested that two particular norms (on “the protection of the public core” and the protection of electoral infrastructure”) could be understood as complementary guidance on interpreting the norms on critical infrastructure; while others suggested they should be considered in their own right. The delegate from the International Red Cross proposed that the norms on critical infrastructure be unanimously agreed to include medical infrastructure. 
  • Another key area of contention is the so-called “militarisation” of cyberspace, or the development and use of offensive capabilities by states. Some called for a complete halt to these activities, with others, notably Australia, arguing that the “ship has already sailed”—in other words, that it is too late to stop states developing these capabilities, and what we should be pushing for is more transparency about how they are used.
  • One of the most anticipated areas of discussion, and unsurprisingly one where there was no clear agreement, was on “regular institutional dialogue”. This is the only part of the OEWG’s mandate that differs from the GGE’s. Essentially, it covers whether the OEWG should continue or not (or if, for example, an entirely new body or process should be set up). Just as with the discussion on norms, a spectrum of views were revealed. Some suggested setting up a new body or committee within the UN to carry forward the dialogue, without proposing much detail on mandate or scope. Others thought the OEWG should continue “at least until a new mechanism or body could be set up”. The middle ground, where most support seemed to lie, was those who had “an open mind” about the continuation of the OEWG, but also found it premature to discuss renewal without agreement on scope of the mandate. At the same time, adherents to this view reiterated the need for complementarity with other processes, including outside the First Committee, as well as the need to engage other stakeholders in a meaningful way. This point about complementarity with the GGE was reiterated by many—although whether this means that both processes should continue in tandem, and for how long, is unclear…


Next steps

Now that the first two substantive sessions are over, the next stage of the process is drafting the report.

There’s no doubt that regular institutional dialogue will be a sticking point, as will a number of other areas, particularly relating to how to operationalise the existing agreements. 

These negotiations will take place in two informal sessions: one at the end of March, and the other at the end of May. A first version of the report will apparently be published on the Secretariat website in the first week of March, which will provide opportunities for a wider range of stakeholders to comment. These negotiations will culminate in a final session in July—where, it is hoped, a consensus report with some concrete recommendations will be agreed.

You can watch footage of all the interventions at the intersessional here.

And read our reports from previous OEWG sessions here: