Unexpectedly, All UN Countries Agreed on a Cybersecurity Report. So What?

Josh Gold is a visiting fellow at the Canadian International Council.

The third and final substantive session of the UN cybersecurity Open-Ended Working Group (OEWG) was held last week in a hybrid virtual and in-person format. Since its inception in 2019, the OEWG has involved the participation of some 150 countries and observers, producing nearly 200 written submissions and over 110 hours’ worth of on-record statements. Last week’s session was expressly reserved for negotiating compromise on the contents of the final draft report.

Despite skepticism and ongoing geopolitical tension, UN member states reached consensus last Friday to endorse a report containing recommendations for advancing peace and security in cyberspace. The report is not legally binding nor groundbreaking in its content but marks the first time that a process open to all countries has led to agreement on international cybersecurity.

The report [PDF] broadly reflects points of consensus and also makes recommendations for further progress in the areas of emerging threats, voluntary behavioral norms, international law, capacity building, confidence-building measures, and potential formats for regular UN dialogue on these topics.

The core significance of the OEWG report is in its reaffirmation of language and recommendations [PDF] from the UN’s decades-old cybersecurity Group of Governmental Experts (GGE) process—which only included a small cadre of countries. The reiteration of previous GGE recommendations on voluntary norms and international law, this time in a process which included all countries, serves as an indirect yet meaningful reinforcement to U.S.-led efforts to advance collective accountability for malicious cyber activities that transgress international norms.

Amid repetition and platitudes, the OEWG report also brings issues to the international agenda which have not previously been accepted nor widely discussed at the UN. These include references to protecting medical and other specific critical infrastructure, as well as the affirmation that countries will try to ensure the “general availability and integrity of the Internet.” The report further endorses the need for capacity building in international law and, at China’s insistence, both supports the responsible reporting of vulnerabilities by states and also encourages states to protect the integrity of the supply chain for ICT products. Cyber threats against electoral processes and the benefits of multi-stakeholder engagement are also raised.

Compromise did not come easily, as the OEWG process has been marked by longstanding contention. In the end, no country was fully pleased with the contents of the report. Iran even went so far as to “disassociate” itself from it, given “unacceptable content” (see 1:15 in this video). While it did not ultimately block consensus on the report, disassociation is an uncommon UN practice which provides Iran with some basis to claim it is not bound by the report’s conclusions.

Reflecting the general sense of dissension, U.S. State Department Cyber Coordinator Michele Markoff successfully demanded that the phrase “states agreed,” which would have appeared at the beginning of each clause of the report, be thoroughly struck from the final report. But in the spirit of compromise, the United States and other liberal democracies permitted changes which, to them, were unpalatable yet bearable. For example, the U.S. criticized—but ultimately accepted—the inclusion of a reference to the possibility of “international legally binding obligations,” the elimination of references to international humanitarian law, and a diluted emphasis on human rights.

One area, however, in which the United States and other like-minded democracies refused to budge, was the reaffirmation of the 2015 GGE conclusions that were endorsed [PDF] by all UN countries in 2015. Delivering her opening remarks virtually, Markoff insisted that the 2015 GGE framework of norms and international law are foundational and should be built upon. Acceptance of the 2015 norms is important because, as James Lewis argues, doing so provides a “basis for collective response to actions that violate them.”

Moreover, as proposed by Dmitri Alperovitch and Ian Ward in Lawfare in the context of recent state-linked compromises of Microsoft software, clear international norms can more effectively outline red lines for certain classes of malicious activities. This enables countries to respond appropriately to malicious cyber activities and enforce those red lines when they are violated by imposing costs on adversaries. Thus, the OEWG’s consolidation of the 2015 GGE norms constitutes an important step in the effort to establish a normative framework which can better equip and justify efforts by countries to respond to unacceptable state activities in cyberspace.

The success of the OEWG in achieving consensus means that international security in cyberspace has become, for the first time, an issue that is discussed by all UN member states. It thereby marks an almost-certain end to the GGE format after the current GGE concludes its work in May 2021. The GGE is likely to be replaced by a French-Egyptian proposal for a Programme of Action [PDF] (PoA) that the United States supports, while another OEWG will begin its work from 2022-2025.

The OEWG has proven its worth as a meaningful forum for sharing views and discussing contentious issues, while also being open to some public scrutiny and non-governmental input. The consensus result is a victory for diplomacy and could be a slow step toward a more stable and predictable cyberspace.