The OEWG’s consensus report: key takeaways

The third and final meeting of the UN First Committee’s Open ended Working Group (OEWG) on ICTs concluded last week. Going into it, we were prepared for three possible scenarios:

1. The OEWG would fail to adopt a consensus report (the worst outcome, which would have undermined previous agreements and set back discussions); 
2. The OEWG would adopt a consensus report, although one which made no progress on previously agreed outcomes in the First Committee;
3. The OEWG would adopt a consensus report that not only reaffirmed previously agreed outcomes but built further on these and included at least some actionable recommendations.

Now that the dust has settled on the discussions, it’s clear that we’ve ended up with scenario 3, albeit with some caveats. This is broadly a good outcome, and was by no means guaranteed, given the often fractious nature of the process (not to mention the added logistical complications of a global pandemic, and the hybrid virtual format of the meeting). 

Below, we take a closer look at the consensus report, and its implications from a human rights perspective. 

The (qualified) good

The inclusion of norms guidance in the Chair’s Summary of the report is welcome. Developed by various states, some of this guidance includes useful language from a human-rights perspective—particularly in the detailed text provided by Canada on the agreed 11 norms, which reflects input provided by civil society groups. 

(Note: some of the guidance is less welcome, particularly China’s offerings on data security and counter-terrorism, which include problematic language on ‘safeguarding national security and public interests’ and prohibiting ‘terrorist organisations’ (not defined) from using the internet. This will likely be discussed in future OEWG meetings).

The inclusion of norms guidance in the report is important for two reasons: 

1. It will help states develop common understandings on a range of important questions: e.g. the precise scope of ‘critical infrastructure’, and the role of states vis-a-vis other actors in securing ICT supply chains;
2. It provides concrete guidance on the implementation of norms, which—if implemented in a human-centric and inclusive manner—could meaningfully contribute to a more peaceful and secure cyberspace.

Another positive aspect of the report is its reference to a Programme of Action (PoA), a more permanent, regular institutional dialogue that would develop a framework and a political commitment based on the existing ‘agreed framework on responsible state behaviour’ or ‘acquis’ and have regular meetings and conferences to assess implementation. This could be a valuable mechanism for supporting the implementation of the agreed framework, including the 11 GGE cyber norms and identifying gaps where further dialogue or new actions or measures need to be developed. The PoA would have progressed without reference in the OEWG report—it already has support among enough member states for that—but its reference in this OEWG report provides added impetus. 

Finally, while the report is deliberately vague in parts, on certain points it offers a welcome specificity. For example, it makes reference to the need to protect the general availability and integrity of the internet, improve the security of the ICT supply chain, and highlights the importance of responsible reporting of vulnerabilities. Other positive features include the acknowledgement by states that they understand the protection of healthcare infrastructure, including medical facilities, as relevant to the norms already adopted on critical infrastructure—meaning they commit to both taking measures to protect it, and not attacking it. These are all important areas that require meaningful stakeholder engagement to implement. Unfortunately, this is precisely where the report falls short: mention of stakeholder engagement is limited, particularly in the more operational ‘conclusions and recommendations’ sections. 

The less good

It’s the report’s sections on international law and institutional dialogue which clearly illustrate the trade-offs and compromises that were made. There is no mention of the different bodies of international law—including international humanitarian law and human rights law and their applicability in cyberspace—that were present in earlier drafts, due to the resistance from some states, including China and Russia. This is particularly unfortunate from a human rights perspective, especially considering that—significantly—the report acknowledges the increasing likelihood of military cyber operations, the potentially devastating humanitarian impact of cyberattacks, and the implications of ‘negative trends’ in the digital domain on human rights. 

It should be added that references to international law haven’t been removed entirely. Instead, like other contentious parts of the text, they were moved to the two-part Chair’s Summary, which comprises a ‘discussions section’ along with the aforementioned norms guidance text. Still, this feels like a setback for discussions on international law—whether the parallel but closed Group of Governmental Experts on ICTs (due to wrap up later this year) can make any headway there remains to be seen. References to the development of a legally binding framework or obligations were also retained in the final report but couched in indeterminate language, as an area not agreed with by all states—but one which will, along with other areas, be discussed at the next OEWG. 

What next?

As we mentioned in our statement on Friday to the OEWG, focus must now turn to:

• Ensuring that the conclusions and recommendations in the report are heeded: This includes the implementation of the agreed framework on responsible state behaviour, which we’ve argued (along with many other civil society stakeholders) should be inclusive of all stakeholders and underpinned by a human-centric approach. Implementation is also important regardless of whether or how binding regulations are considered in the future: the implementation of norms, CBMs, capacity building and greater understanding of how international law applies in cyberspace will support common and shared understandings, and help shape future discussions on the frameworks necessary to support a more peaceful and secure cyberspace. 
• Shaping meaningful stakeholder engagement in future dialogue: It’s also important that states work with civil society to ensure that lessons learned from stakeholder engagement in this past OEWG are applied to the next OEWG. The organisational meeting of the next OEWG will take place in early June, so there is still time to carry out that work. The negotiations for the resolution that could set up a PoA are also likely to take place over the next few months, and it’s important that civil society get involved to shape any text on stakeholder engagement. Our colleagues at WILPF have already done some important work in this regard, drawing on their experience with the UN PoA on small arms and light weapons process.

The Chair and his team steered a difficult discussion last week, one that was peppered with metaphors of ‘choppy waters’ and bouts of seasickness. Member states acknowledged that the compromise that was agreed was hard-won but significant. It is heartening to see this consensus report adopted by all member states, even amid the challenges that have been faced in the past year. After all, the GGE in 2016/2017— a much smaller, closed group—failed to agree on a consensus report on the same topics. Yet, for the outcome to have a meaningful, positive impact on people’s lives, and on international peace and security, there is still much to be done—both to implement the recommendations in the report within and outside the UN, and to make sure that future discussions are inclusive of stakeholders.