A Calm Before the Storm?

Pavlina Pavlova Commentary

The eighth session of the United Nations Open-Ended Working Group on security of and in the use of information and communications technologies (OEWG) started with a promise to move the needle on key areas. Although the third annual progress report was agreed upon with relative ease, the Group remains soul-searching for the future format and focus of the regular institutional dialogue, inching along on substantive proposals, and redefining how ambition may look like in times of crumbling consensus on matters of international security.

The OEWG serves as the main multilateral dialogue on state behaviour in cyberspace through an evolving consensus framework, consisting of voluntary norms, international law, confidence-building measures and capacity building. Unlike other substantive meetings that discuss new proposals, the primary objective of the July sessions is to adopt the annual progress report (APR) – a consensus document marking the achieved progress and setting the stage for the upcoming year.

The negotiating week began with palpable tension. Many recalled the footnote diplomacy from last summer, when the Chair’s addition of two footnotes had led to a last-minute agreement. With the Group’s mandate expiring in a year, the pressing question was whether longstanding divides on the future mechanism could, if not be reconciled, then at least abraded. The impasse was resolved in a “UN fashion,” deferring difficult decisions to future sessions.

States double down on ransomware and artificial intelligence as emerging threats

The threat section opening the Group’s agenda is a good measure of what pains countries in cyberspace. The APR outlines the use of ICT capabilities for military purposes and those affecting critical infrastructure, alongside the need to secure undersea cables and orbit communication networks from malicious activity. Many delegations, including the European Union (EU), Australia, Canada, United States, Japan, New Zealand and the Republic of Korea, among others, stressed the increasing frequency, scale and severity of ransomware attacks on critical services and infrastructure and supply chains that can have a disruptive impact on individuals, economies and societies at large.

The APR continues to highlight cryptocurrency theft and its use for financing illicit activities. Some delegations loudly protested. A group of a dozen countries, including Belarus, China, Iran, Russia, and Venezuela, opposed these references even on the last day, based on the pretext that this links cybercrime to issues of international peace and security. China further focused its opening intervention on Volt Typhoon, an allegedly Chinese threat actor conducting cyber operations to gather information on critical infrastructure and military capabilities in the United States. China’s delegation asserted that some states were using allegations of state affiliation with hacker groups to make unsubstantiated accusations, creating friction and disagreement among countries.

The role of artificial intelligence (AI) in ICT security has seen growing attention over the past year. Delegations raised concerns that AI is likely to increase the volume and heighten the impact of cyberattacks through the evolution of tactics, techniques, and procedures. The African Union supported the inclusion of quantum computing as a potential threat to international cybersecurity, alongside Brazil, Colombia, Finland and Mexico. The final text acknowledges that emerging technologies such as AI and quantum computing can create new vectors and vulnerabilities in the ICT space, increasing the speed and enhancing the targeting potential of malicious cyber activity.

The APR brought a detailed focus on protecting critical infrastructure from cyber harm. The German Council on Foreign Relations pointed to the gaps in norms implementation. Half of the countries have not designated their critical infrastructures. States that publicly designated essential sectors and services share many in common, including energy, health and transportation. The APR confirms the previous consensus language that it is the sovereign prerogative of each country to determine for itself what it considers to be critical infrastructure. In the same breath, the report outlines electoral processes and healthcare, maritime, aviation, financial and energy sectors among vital infrastructures. Closing the remaining gaps in common baselines for designations of critical infrastructure can advance the operationalisation of the framework of responsible behaviour, increase trust and predictability in cyberspace, and incentivise practical cooperation, including through public-private partnerships and wider multistakeholder cooperation.

A new body of law for cyberspace?

Exchanges on voluntary norms and international law revealed deep frictions on whether states need to negotiate new, and this time legally binding commitments – or whether countries should prioritise the implementation of the 11 voluntary norms that have already been agreed upon – and map this progress, for example, through national reporting. There is a broad consensus that the emphasis should be on operationalisation of cyber norms and adding granularity on how to translate the framework into action. Exemplifying this sentiment, Croatia reminded states to “learn to walk before they can run” and the Chair continued to advance the checklist on norm implementation. Directing attention to implementing existing voluntary commitments is fiercely opposed by a few countries around Russia, asserting that binding obligations are necessary for addressing the deteriorating cyber threat landscape. The third APR follows consensus language that only summarises opposing visions.

A number of countries outlined a strong case for the inclusion of references to international humanitarian law (IHL) in the APR. The EU statement emphasised that the use of ICTs in the context of an international conflict is a reality today, making IHL clarifications ever-more important. The Netherlands spoke on the importance of IHL and international human rights law for the protection of civilians and civilian objects, referencing a cross-regional paper on the application of IHL in the use of ICTs in armed conflicts. The International Committee of the Red Cross (ICRC) highlighted the damage wrought by malicious cyber activities targeting civilian targets and asked for the APR to clearly reaffirm the applicability of IHL. Chatham House reiterated that international human rights law continues to apply alongside IHL even in situations of armed conflict, providing complementary and oftentimes more robust protections for civilians and civilian critical infrastructure.

International law, including IHL and international human rights are closely tied to the promotion and protection of human rights and improved accountability in cyberspace. The UN member states universally recognise that existing international law applies in cyberspace, but more detailed considerations are needed to elaborate on how it applies. Delegations have agreed that scenario-based exercises, such as the one organised by the UN Institute for Disarmament Research (UNIDIR), are helpful in clarifying the application of international law by identifying areas of disagreement and consensus, and potentially isolating the grey areas for future work. Discussions on cross-cutting issues, such as the protection of critical infrastructure could advance the interpretations of international law. Austria’s national position on international law applicable to cyber operations also takes a case-based approach that lays out different examples of international law violations and could serve as practice for future work.

Confidence-building measures and capacity building gain momentum

Confidence-building measures (CBMs) are an established practice in several regional organizations, such as the Organization for Security and Cooperation in Europe, the Organization of American States, and the Association of Southeast Asian Nations. The OEWG has agreed upon four CBMs, relating to the global Points of Contact Directory, continuing the exchange of views, sharing information on a voluntary basis, and encouraging opportunities for the cooperative development and exercise of CBMs. The Chair additionally proposed four new measures. The Initial List of Voluntary Global CBMs, which will be considered at the next session, includes measures on promoting information exchange to strengthen capacity in ICT security, engaging in regular capacity building events, exchanging information and best practices on critical infrastructure protection, and strengthening public-private partnerships.

Capacity-building is a cross-cutting issue, enhancing states’ ability to implement the framework, and incentivising many developing countries to actively participate in the Group’s work. The APR introduces a voluntary trust fund to finance capacity-building programmes for states and sponsor national delegations’ and experts’ participation in the negotiations. The fund was acknowledged as a positive step forward. Still, its scope will need to be carefully crafted to avoid duplication or overlaps with existing programmes in this area, such as those run by the World Bank and the International Telecommunications Union. Doubts remain about whether resources for this fund will drain from other established initiatives serving as a lifeline for multistakeholder engagement.

The United Kingdom emphasised that funding for capacity building should equally focus on upskilling experts in capitals. The Dominican Republic, Brazil, and Chile spoke about the importance of using the fund meaningfully to encourage diversity in national delegations, further stressing the need for gender and geographic balance. The Women in International Security and Cyberspace Fellowship was referenced as an example worth following. This programme pools resources from Australia, Canada, the Netherlands, New Zealand, the United Kingdom, the United States, and newly also Germany to sponsor the involvement of early and mid-career female diplomats. Thanks to this successful initiative, the OEWG maintains gender parity in participation and interventions.

Fragmented process looming over the Group’s future

As the Group is set to conclude its work next year, the race is on to shape the form and mandate of the next mechanism. All agree that the regular dialogue on ICT security must continue, and references to “seamless transition” and a single-track mechanism that could continue the Group’s work were abundant. Delegations also concur that the future mechanism needs to be consensus-driven, action-oriented, fit-for-purpose, single-track, inclusive, and flexible to react to the rapidly evolving nature of cyber threats. Less agreement is on how these principles translate into practice.

The OEWG has seen two competing proposals, the Programme of Action (PoA) and the Permanent Decision-Making OEWG, which present differing visions for advancing the framework of responsible behaviour in cyberspace and reflect the friction between implementing voluntary commitments and negotiating new, binding obligations. The Chair has attempted to reconcile the proposals by outlining their shared elements, and the United Nations Institute for Disarmament Research (UNIDIR) has put its research capacity into reviewing positions and mapping the areas of convergence and conflict.

If states fail to agree on a single mechanism, the Cyber PoA and the permanent OEWG could end up operating in parallel. The arrangement, however, would be far from amicable. The former could adopt an issue-specific, action-oriented approach focused on capacity-building and practical implementation, while the latter could serve as a platform for general deliberations. Still, such a setup would rest on a precarious balance, susceptible to politicisation and obstruction. The number of meetings could also strain limited resources, create duplication, and importantly, hinder progress due to potentially conflicting outcomes.

The stakeholder dilemma

The OEWG has been making no headway on the stakeholder issue in the emerging mechanism. Despite the many reiterations that stakeholder participation is important, the Cyber PoA has yet to provide guarantees for their strong and meaningful engagement. Stakeholder contributions must complement those made by states, be embedded in the plenary sessions, and facilitate ongoing exchanges rather than one-time statements. References to modalities adopted by the UN Ad Hoc Committee on Cybercrime have gained traction, but the APR fell short of including a robust stakeholder component.

Stakeholder participation in matters of international security remains contentious for a small group of countries around Russia. Others are vocal advocates for the stakeholder issue, represented by Canada’s and Chile’s working paper on stakeholders contributing to multilateral cybersecurity discussions. Finally, an overwhelming cross-regional majority supports active exchanges with technology companies, civil society, and academia – exemplified by the high number of multistakeholder events, initiatives and partnerships outside of the plenary.

Ultimately, stakeholder participation in matters of international security is a political decision. The success of the future mechanism will hinge on striking a balance between high-level political discussions and technical exchanges involving experts. It would be a missed opportunity if it falls victim to a few countries wanting to reserve participation solely for states.  

With one year remaining, the OEWG is left soul-searching about whether actual progress can be achieved, and if so, which areas would allow the international community to advance constructively. While three consecutive consensus reports are an achievement, the final report will need to be ambitious to mark the Group’s four-year effort as a success. In an opposite scenario, if states do not agree on a final report, the incremental progress from annual reports will have only a limited impact on future cybersecurity dialogue. The dilemma of stakeholder participation emerges as a defining challenge, potentially making or breaking the case for multistakeholderism within the international framework.

Thumbnail image: credits to @helloimnik on Unsplash

Image

About the Author

Pavlina Pavlova

Pavlina Pavlova is a #ShareTheMicInCyber Fellow at New America and a UN external expert on cybercrime. She has driven civil society engagement in UN processes on cybersecurity and cybercrime and served as an official at the Organization for Security and Co-Operation in Europe. Her research examines the impact of technology on people and translates the evidence into recommendations for improved governance.

Share this Article