The Rocky Road to Cyber Norms at the United Nations

Between July 25 and 29, UN member states gathered in New York for the third substantive session of the Open-Ended Working Group on the security in and of information and communications technologies (OEWG). The mandate of the OEWG is to develop norms, rules and principles for responsible state behavior in cyberspace, consider how international law applies in cyberspace, establish regular institutional dialogue under the auspices of the United Nations, study emerging cyber threats and cooperative measures, and to understand the role of confidence building measures and cyber capacity building within this context.

The biggest challenge facing the new OEWG is how to see progress amidst deepening cleavages between Western countries and Russia and China. The first year of the OEWG exposes how these geopolitical disputes have led members to block stakeholders from participating in meetings and avoid detailed discussions. If these and other issues continue, they may compromise the work of the current OEWG and undermine its capacity to advance efforts to implement cyber norms.

Geopolitical tensions: that was then, this is now

The OEWG has always been marked by geopolitical disputes. During its first iteration from 2019-2021, the process was initially perceived as a Russian success in getting member states to agree with the establishment of a parallel track to the existing, U.S.-backed Group of Governmental Experts (GGE), which involved twenty five countries, for discussing responsible state behavior in cyberspace. Many feared that progress on norms would be lost in endless discussions among numerous members and shift the focus of the GGE.   

Despite these expectations, the first OEWG did set an important precedent for a more inclusive debate on international cybersecurity. In the session, 193 countries joined the OEWG and over 100 non-governmental organizations (NGOs) contributed to the discussion as observers. What is more, the meeting provided a space where developing countries could also take part in the creation and dissemination of cyber norms. Moreover, the OEWG endorsed the norms agreed to by the GGE process.

The second OEWG is different. Stalemates have marked this OEWG since it began. The war in Ukraine has taken up much of the attention of the members of the OEWG. Despite having agreed on the participation of non-governmental stakeholders, twenty seven NGOs had their accreditation blocked by Russia. Russia and China have signaled their objection to NGO participation at several OEWG meetings.  This situation shows how NGOs can be drawn into geopolitical disputes and sets a negative precedent for future work on international cyber norms–leaving non-governmental stakeholders and their expertise in an uncertain position.

This is problematic as key stakeholders from different sectors such as the Forum on Incident Response Teams (FIRST), Microsoft, Chatham House, and other organizations could not provide feedback or contribute to debate.

The room where it happened

It is in the context of these tensions that the third session of the OEWG took place. At the start, the chair was adamant about having a consensus report and agreeing on low hanging fruits such as the establishment of a network of diplomatic, technical, and political Points of Contact and focusing on achieving a “concrete and action-oriented” document. Soon after the first draft, the uneasiness in the room became evident.   

Western and swing states started to work together on presenting joint statements while Russia and China avoided committing to the consensus until the last minute. Tensions revolved around issues ranging from data security, agreement on how to approach emerging threats, relevance of inclusion of gender, capacity building, and CBMs.

Data security was a key element to China’s position–given the inauguration of the Data Security Law and Personal Information Protection and the centrality of data security in China regulatory system. EU member states agreed on the importance of data security but saw it as a national concern not relevant to the OEWG.

Most countries were also concerned with the growing threat of ransomware and its widespread effects, as seen in Conti’s recent attacks on Costa Rica. Australia, Chile, Costa Rica, Indonesia and other countries submitted a joint text proposal suggesting that ransomware be included as threat that could lead to a national emergency, especially when targeting critical infrastructures. Despite the proposal, the issue did not reach the progress report and there is still a lack of understanding over what the international peace and security threshold is for such threats.

Challenges ahead

Overall, the first Annual Progress report of the OEWG 2021-2025 shows very little progress on substantive issues and is more of an agreement that members are willing to continue the conversation. The report was adopted because states were given the opportunity to explain their disagreements over the text and their expectations of future progress.

If the OEWG seeks to have a practical effect in the coming years, member states will need to curb mistrust through concrete guidance on norms implementation - rather than devising new norms. Adding new norms, while not encouraging the adoption of previously agreed upon norms and the adoption of existing mechanisms such as the national norms implementation survey proposed by Mexico and Australia, provide little depth to what countries can do to link national developments with international discussions. 

The focus on developing guidance on norms implementation would make the OEWG more effective despite member states split support to other mechanisms  and enable concrete exchange on how countries interpret and track these norms nationally and how the United Nations could help countries implement them. A discussion that would be enhanced by the participation of non-governmental stakeholders that are or have been working on developing frameworks for supporting implementation.

All in all, the OEWG faced a rocky road during its creation, and it does not appear as if tensions have significantly decreased in the year since then. The next months will be a major test to states commitments in pushing the conversation forward, as major political crises involving the West, Russia, and China continue and spillover into negotiations in the OEWG unavoidable. There is still little sight of the next steps.

Louise Marie Hurel is Special Digital Policy Advisor and Program Coordinator at the Igarapé Institute and a PhD researcher at the London School of Economics’ Department of Media and Communications.