At the end of July, the Open-ended Working Group (OEWG) on ICTs—which is currently discussing how states should and shouldn’t behave in cyberspace—concluded its third meeting, which falls in the middle of its four year mandate (ending in 2025). Below, we provide a summary of what happened, reflections on the outcomes and implications (the good and the bad), and some practical recommendations for stakeholders and governments to consider ahead of the next meeting.
The latest OEWG meeting—held from 25-29 July—was a pivotal one. In it, member states were tasked with negotiating a consensus report which would serve as the core “roadmap” for discussions up until the end of the OEWG’s mandate.
This was never going to be easy. As we’ve reported since the first OEWG in 2019, there have been many persisting areas of disagreement among member states, which often hinge on core, foundational questions. Is a binding treaty for cyberspace needed? Are new cybernorms needed? Should the OEWG be the sole space for dialogue on these topics? (and if so, how should it support member states?). Other areas of contention include the application of international humanitarian law to cyberspace, and the role of non-state stakeholders in these discussions.
A challenging context
These areas of disagreements have been made more intractable by the invasion of Ukraine, which has entrenched geopolitical faultlines, casting a long shadow over this meeting—including on the issue of stakeholder modalities. Thanks to the newly adopted modalities which provide some level of transparency on the use of the veto, we know that it was Ukraine and Russia that exercised their right to veto around a third of the non-state stakeholders who applied to attend the meeting. The groups Russia vetoed included incident responders, digital rights groups and key actors in cyber capacity building like the GFCE. The Chair repeatedly made reference to the ‘challenging context’, and the lack of a ‘guarantee’ that a consensus report was achievable, urging states to listen to each other, reach over the faultlines and compromise.
It’s clear that the OEWG’s discussions are more timely and urgent than ever. The Ukraine conflict—which has featured many instances of ‘hybrid warfare’, in which territorial fighting is augmented by the use of cyber capabilities—is one reason for urgency. But malicious cyberattacks attacking critical infrastructure are happening everywhere with increasing frequency, both state-sponsored (see the recent cyberattacks in Taiwan) or by other actors (last week’s serious attacks on the UK’s health infrastructure and Germany’s government IT systems). These alarming incidents should underscore the need for cooperation among states on norms of responsible behaviour in cyberspace. But instead, the increasing number of such incidents is actually making discussions more difficult, especially because some of the major players in these discussions (namely US and Russia) are directly implicated.
Reflecting this difficult context, the meeting sometimes had the character of a salvage mission. The first version of the draft report—which went through two major revisions in July—was whittled down to the bones of what could be agreed during the week of the meeting. From the beginning of the process, the Chair had made clear a desire to get states to agree on ‘concrete/actionable steps or recommendations’. However, few steps or recommendations from the first version of the report were maintained (as is explored in more detail in the ‘highlights’ section of Reaching Critical Will’s summary of the meeting, states largely stuck to their long-standing views on the topics of the OEWG’s mandate).
In the end, the report takes the safe route: papering over disagreements with broad recommendations relating to, for example, member states’ sharing of information about their positions on key topics and/or good practices, and commitment to continued discussion. Considering the context, as the Chair reiterated, the ability to agree a consensus report sends an important signal to the international community that on issues of international peace and security, states can still sit around a table and agree ‘something’, although it should be noted this was only possible because a compendium of “Explanations of Position” will be attached to the final report—a way of states putting a ‘yes but…’ on the record. But what is that ‘something’? And to what extent does it present a useful roadmap for the future?
What’s in the report?
The report recognises the increasing urgency of the discussions and reaffirms the existing responsible state behaviour framework. On threats, however, it largely reiterates what is in the 2021 report, due to an inability of states to agree. On capacity building, any references to the role of the UN acting as focal point proved too controversial, in light of longstanding concerns around the UN duplicating existing efforts (e.g by the GFCE and regional organisations). As a result, this section refers mainly to the continued exchange of views on key topics (though, positively, this does include a gender dimension). The meeting however, and for the first time, included briefings by regional organisations (the OSCE, AU, OAS and EU) on their capacity building efforts which was a useful information-sharing mechanism. The AU, which has not been actively engaged in the OEWG as a regional grouping until now, provided an in-depth set of reflections and recommendations on capacity building informed by a multistakeholder consultation that had taken place ahead of the African IGF in Malawi.
On the subjects of international law and regular institutional dialogue, the report is also vague—basically committing states to continued discussion. Due to disagreement around the role of a proposed Cyber Programme of Action (PoA) and how it would complement the OEWG, there is no commitment to establishing a PoA. It is really on confidence-building measures where the report becomes specific. For example, it calls for the creation of a ‘Points of Contact (PoC) directory’, which would provide contacts for key people in each member state to contact to reduce escalation and misunderstanding at times of tension. It also asks the Chair to set up an intersessional meeting (between now and March 2023) to discuss what topics could foster greater confidence and trust between states. Implementing these recommendations, particularly the set up of the PoC directory, will be much more difficult in practice, especially against a backdrop of conflict and distrust.
Disappointingly, the report weakens language from the first OEWG report draft on the need for a human-centric approach to peace and security in cyberspace, and the disproportionate impact of cyberattacks on vulnerable groups. It also includes only one reference to human rights, and fails to properly recognise the role of non-state stakeholders in implementing the responsible state behaviour framework, with limited references to capacity building and confidence building. The fact that NGOs couldn’t participate in the first two meetings in any formalised manner due to the inability to agree stakeholder modalities may to some extent explain this. It also shows just how important stakeholder participation is to ensuring these discussions remain as non-politicised as possible and focused on the main question at hand— how to protect a secure and stable cyberspace. This is ultimately a question of how to protect and fortify a complex system of devices and infrastructure on which we are all intimately dependent. And it requires a holistic and multistakeholder approach, not a closed and politicised one.
So what can be done? Reading the progress report that was just adopted with a ‘glass half empty’ lens, it may appear thin—a good effort to at least agree something, stop the process from moving backwards, but not much more than that. Reading it with a ‘glass half-full’ frame of mind, however, it is possible to see a number of opportunities to drive and shape these discussions going forward, including in advance of the fourth meeting in March 2023.
Ahead of that meeting, some recommendations:
Recommendations for non-state actors
- Provide analysis to inform the implementation of the more specific recommendations in the report, the PoCs directory, drawing on existing experience, lessons learned and national/regional ‘realities’ on the ground
- Build on existing work and collaborating with other stakeholders, develop working papers, guidance and checklists to further common understanding of key terms and implementation of the agreed norms, e.g from a human-centric, gender and rights perspective. This could also include checklists of ‘what not to do’, or ‘bad practices’, that undermine peace and security in cyberspace
- Assess submissions by members of the OEWG on the application of international law in cyberspace, including from a human-rights perspective
- Provide analysis and commentary of state proposals to build confidence and trust in cyberspace (e.g the joint proposal Canada, Germany, Mexico and other states), and develop further recommendations or proposals on confidence building including to inform any future OEWG intersessional sessions on the topic
- Continue to monitor and collect data on the impact of cyber incidents on communities including vulnerable groups and thereby help make the links between state behaviour in cyberspace and the impact of this behaviour on people
- In implementing the responsible state behaviour framework, consult with stakeholders on how to utilise existing frameworks – e.g national cybersecurity strategies to implement the framework
- Collaborate with civil society and other non-governmental stakeholders on developing guidance for implementing the rules, norms and principles and on and on developing positions on how international law applies in cyberspace
- Proactively organise sessions to deepen understanding of how the peace and security agenda in cyberspace intersects with human rights
- Include civil society and other non-governmental stakeholders in future delegations and actively integrate their expertise
- Work with civil society and other stakeholders in advance of OEWG meetings, to identify threats through multistakeholder consultations. For example, recently the African School of Internet Governance (AfriSIG) brought together experts from across stakeholder groups in the Africa region to identify capacity building priorities. This could be used in other contexts and as a model for other areas of the OEWG’s mandate.