Shaky consensus at the OEWG: where next for UN discussions on state behaviour in cyberspace?
On 24-28 July, states convened in New York for the fifth session of the UN First Committee’s Open ended Working Group on ICTs (OEWG), which aims to establish a common understanding of—and further develop the framework for—responsible state behaviour in cyberspace.
This session marked a critical juncture in the process, with states negotiating the OEWG’s annual progress report—an important document which aims to both summarise the current state of discussions and set out a roadmap for the remainder of the process, which will conclude in 2025. GPD has been closely engaged throughout the OEWG process, and attended this session in-person as an accredited participant alongside other groups, with the aim of observing the discussions and advocating for the implementation of the agreed framework in an inclusive, human-centric and rights-respecting manner.
In the end, the report was agreed and consensus achieved (at least on the surface), though the path there was rocky, and outcomes are mixed from a human rights perspective. Below, we offer some insights and observations from the session—touching on its key results and implications, the remaining faultlines and obstacles in the OEWG, areas of progress (and concern) on human rights in the final report, and our thoughts on next steps and likely prospects for the OEWG process.
A challenging context
The Russian-initiated call for a treaty relating to state behaviour in cyberspace has proven to be one of the most persistent faultlines among states in these discussions. While proposals for such a treaty have cropped up intermittently at the First Committee for decades, this OEWG session marked something of a shift. Here, the proposal acquired an unignorable prominence, almost torpedoing consensus and preventing the group from accurately reflecting progress made in key areas of the mandate, particularly international law and regular institutional dialogue.
At the crunch point in the negotiations, Russia gave a long statement referencing their joint commitment with certain African states to “elaborate under the UN auspices effective and universal legally-binding instruments on the security of and the safe use of ICTs and the prevention of computer attacks against civilian infrastructure” (see the full statement here). This led to a frenzy of what the Greek delegate called “footnote diplomacy”—the ultimate result of which is a report which places slightly greater emphasis on the possibility of additional legally-binding obligations. However, it is worth noting that a further reference was also added to the proposal of states on the Programme of Action and the UN Secretary-General’s report on the scope, structure, and content of a future PoA (A/78/76). Certain member states expressed disappointment with the added reference to the treaty proposal, which did not accurately reflect the balance of the group’s discussions throughout the past year.
In contrast to the most recent Russian proposal—which has the support of a handful of states—157 states have supported the General Assembly resolution to establish a Programme of Action (PoA) on state use of ICTs in the context of international security. Despite this majority support, Russia’s reference to their cooperation with African states can be read as a reminder that—as with the adoption of the 2019 General Assembly resolution to initiate a UN treaty process on cybercrime—they could once again mobilise states in support of a treaty process. This is troubling because, in the current geopolitical context, such a process could result in badly designed legislation which undermines human rights protection and paves the way for poor practice.
Weakening or deletion of key language
On rules, norms and principles, there was some watering down of references to the existing framework (also known as the acquis) of responsible state behaviour in cyberspace in progressive drafts of the report. Disappointingly, this means that the final report contains less reference to human rights than the 2021 outcome reports of the former GGE and OEWG processes.
On the subject of international law, the report only makes one passive reference to human rights, reaffirming the language of the group’s 2022 report which reflected the need for discussions on topics including human rights and fundamental freedoms.
We are also concerned by the deletion in the final report of language which identified “the growth of illegal markets offering access to, inter alia, software vulnerabilities, spyware, sophisticated high-end offensive ICT tools and ‘hacker for hire’ services” as a threat. Language to this effect was included in the revised zero draft and in the final draft of the report but is excluded from the final report, despite almost no states—with the notable exception of Israel, where the notorious NSO group who developed Pegasus spyware is based—having criticised the language. This not only takes away an opportunity to address a widely agreed threat which violates human rights; its removal also undermines the transparency of the process, if key aspects of the text can presumably be deleted through the backdoor.
Throughout the proceedings, it was troubling to note a number of states—Russia, Belarus, Burundi, Cuba, Nicaragua, the Democratic People’s Republic of Korea, Venezuela and Sudan—oppose the inclusion of references to gender and human rights more vocally than in previous sessions. This was countered by cross-regional states demonstrating their support for institutionalising gender into the mandate—including El Salvador, Uruguay, Mexico, Costa Rica, Australia, New Zealand, Bangladesh, Vietnam, Ireland, the UK, Belgium and others—as well as many states who championed human rights, as noted below.
Other aspects of the discussions also did not find their way into the report, despite considerable support from states. These included Kenya’s proposal to develop a repository of threats, which received wide support, and proposals to strengthen the language on ransomware.
Markers of progress
Considering the negotiations more generally, there were several positive trends in state interventions which both were and weren’t reflected in the final report, but which may be considered as markers of progress.
For example, states from diverse regions championed the contributions of non-governmental stakeholders. Switzerland emphasised the role of stakeholders in contributing to all aspects of the mandate, including international law and regular institutional dialogue, while a Colombian proposal that civil society organisations, academia and the private sector be enabled to contribute to discussions on threats was supported by Chile and others. This aligns with our joint input to the draft report, submitted with 12 other civil society organisations and experts, which emphasised the role of diverse stakeholders in ensuring objective, evidence-based assessment of threats. There was also strengthened language in the threats section relating to the gendered and differentiated impact of threats, and in the capacity building section to reflect the need for a “gender-responsive” approach (championed by the Netherlands). Added references to the role of non-governmental stakeholders were also welcome and received widespread support—although the insertion of qualifiers like where “relevant” or “as appropriate” are troubling.
It was also positive to hear states from across regional groupings emphasise the need for more robust language on human rights, including Costa Rica, Timor Leste, the EU and Canada. For example, Czechia called on the report to recognise that threats to human rights in cyberspace also threaten peace and security; while Germany called for an “active reference” to human rights in the international law section.
Recommendations for next steps
Overall, the fact that a report was agreed is an achievement in itself, given the contentious geopolitical context. As we’ve noted before, the devastating and ongoing war in Ukraine continues to cast a long shadow over multilateral forums, including the UN cyber processes, where it has undermined trust, stalled progress, and emboldened certain states to push harder for a treaty. As in 2022, the report will include an annex where states will include their “explanations of positions”—akin to reservations on the text.
In this fraught context, the agreement of the report marks a victory for multilateralism. However the report itself marked some disappointment for human rights defenders, watering down language on the implementation of the agreed framework of responsible state behaviour in a human rights-respecting manner
However, as many have noted before, the process is about more than a single outcome document, and much depends on how the discussions take shape and translate into concrete proposals and relevant laws, norms and standards governing state behaviour in cyberspace. The report proposed a number of next steps, including dedicated intersessional meetings on threats, rules, norms and principles, international law and regular institutional dialogue, as well as a global roundtable on cyber capacity building. It also committed the OEWG to producing a norms implementation checklist, sharing national positions on how international law applies, operationalising the Global Points of Contact Directory (PoC Directory), and mapping cyber capacity building programmes. With this in mind, we offer the following recommendations to the OEWG as it looks ahead to its future work:
Recommendations for states:
- Work with stakeholders from the technical community, industry, academic and civil society to acquire knowledge of and assess the accuracy of information relating to threats, while paying due regard to the perspectives of those stakeholders disproportionately impacted by cyber incidents;
- Collaborate with civil society and other non-governmental actors to develop guidance for and to implement the agreed norms through relevant regional and domestic regulation and policies, including the proposed checklist. As advised by states including Colombia and Chile, states should refer to existing guidance (such as GPD’s Inclusive Cyber Norms Toolkit) to ensure this is undertaken in an inclusive and rights-respecting manner;
- Leverage the expertise of non-governmental experts to assess state positions and to develop common understanding of how international law applies in cyberspace, including by enabling their participation in a dedicated intersessional meeting through the adoption of inclusive meeting formats;
- Develop further standards and guidance to ensure the PoC Directory is implemented in compliance with states’ obligations under international human rights law, and specifically the right to privacy;
- Participate in the Global Conference on Cyber Capacity Building (GC3B) in Accra, Ghana (29-30 November) and engage in discussions with diverse stakeholders on ensuring a principles-based and gender-responsive approach to cyber capacity building;
- Engage meaningfully with non-governmental actors on the design of the PoA mechanism, including through facilitating their participation in and sharing the outcomes of relevant consultations in a timely manner.
Recommendations for non-state actors:
- Monitor and provide analysis of cyber incidents, including by working with those disproportionately impacted, to demonstrate their human impact and to ensure global processes are grounded in reality;
- Collaborate with states and other stakeholders to develop or contribute to norms implementation guidance—including the proposed checklist—to further common understanding of key terms and implementation of the agreed norms in an inclusive, rights-promoting and contextually-relevant manner;
- Continue to contribute expertise on the application of international law in cyberspace, including by analysing state positions and contributing expertise to ensure relevant laws, standards and policies are consistent with obligations under international human rights law, including at the proposed intersessional meeting;
- Build upon initiatives to develop common positions on the PoA mechanism, and continue to engage with and follow-up from any consultations relating to the PoA’s design.
We will continue to follow and input into the process, in particular at the OEWG’s next intersessional meetings.