Cybersecurity is a matter of international security. Recent incidents with implications for international security include ransomware operations conducted by groups with ties to a foreign government military intelligence service against Costa Rican government services and operations against the communication services used by the Ukrainian military conducted by Russian cyber threat actors. These developments make cyber diplomacy more relevant, but also more challenging, as the chances for diplomatic dialogue shrink.
Against this backdrop, it is noteworthy that, in late July, a large majority of United Nations (UN) member states – including Russia, China and their Western counterparts – managed to agree on a consensus report of the UN open-ended working group on cyber issues (OEWG). What is not surprising, however, is that substantial progress on the most critical issues was scarce. Four specific sets of actions can pave the way for more productive sessions in the future.
A process with little progress
The OEWG is the current one-stop shop for debates about cybersecurity at the UN. The forum is open to all UN member states and non-state organisations whose participation is approved by member states. For four years, these actors get together twice a year – for a week each in spring and summer – at the UN headquarters in New York to discuss six issues related to international cybersecurity: the threat landscape, the applicability and application of international law, the development and implementation of cyber norms, the development of cyber confidence-building measures, cyber capacity building and the format of future dialogue at the UN on these issues.
While participation varies from session to session, the number of participating states is usually in the triple digits, including the major ‘cyber powers’ like China, Iran, Israel, Russia and the United States.
The current OEWG is already the second iteration: the OEWG I was in session between 2019 and 2021 and produced a consensus report, although it was generally considered far from a breakthrough. The ongoing OEWG process was launched in 2021 and is expected to finalise its work in 2025, possibly by adopting a consensus report, as foreseen in its mandate. Still, even before that, the group is meant to produce annual progress reports, the first of which was adopted by consensus of all participating states in July 2022. This report remains vague on most points – a modest outcome that is not surprising in the current constellation of international politics. According to the document, all topic areas are to be discussed further, and states are invited to continue to submit proposals and report on topical national initiatives.
The only concrete outcome of the report is the decision to establish, for the first time at the UN level, a concrete confidence-building measure (CBM), namely a global directory of national cybersecurity points of contact. The idea of CBMs goes back to the Cold War era, the most famous example being the hotline between Washington and Moscow that was established after the Cuban Missile Crisis to allow for direct communication between the two superpowers to clear up possible misunderstandings and thus prevent inadvertent conflict escalation. Translating this idea to a cybersecurity context, states are to nominate national points of contact to, similarly, facilitate crisis communication. This low-hanging but valuable fruit is far from a new idea: three regional organisations – namely the Organization for Security and Co-operation in Europe (OSCE), the Organization of American States (OAS) and the ASEAN Regional Forum (ARF) – have formulated similar CBMs and started to practically implement them. Moreover, the report of the OEWG I already mentions the establishment of such a network. In other words, in the 2022 annual progress report, states take up this idea already mentioned elsewhere and decide to put it into practice. While this progression is typical for diplomatic settings, the wording of the OEWG II report leaves many questions unanswered – such as how and by whom this directory would be managed, who would fund it and whether the directory would also coordinate operational collaboration, such as, for instance, regular cybersecurity exercises. A background paper, to be drafted by the UN secretariat by early 2023, and an intersessional meeting are supposed to provide answers. Nevertheless, overall, the progress of the OEWG II so far has remained limited.
Pathways to success
There is a structural reason for the limited progress in (cyber) diplomacy: Even before relations between Russia and many Western states reached a new low following Russia’s invasion of Ukraine, both ‘camps’ had been growing increasingly estranged for years, both in the field of cybersecurity policy and beyond. Nevertheless, there may still be room for modest progress in the OEWG II. Specifically, four pathways might lead to more substantial success in future meetings: more interregional working groups, stronger links between cyber capacity building activities and norms implementation, developing concrete proposals for norms implementation through an ‘adopt a norm’ approach, and a stronger voice for non-state organisations.
Interregional working groups
First, states should form more informal, interregional working groups within the OEWG II to advance specific issues. After all, the only concrete outcome of the progress report resulted from the efforts of such a group. The idea of putting the points of contact network into practice can be traced to a proposal to the OEWG II by an interregional group of nine states who call themselves the ‘confidence-builders’: Australia, Brazil, Canada, Germany, Israel, South Korea, Mexico, the Netherlands and Singapore. Such an approach allows each state of the working group to act as an advocate for the issue in their respective regions and incorporate suggestions and concerns, which can make proposals more robust and ensure interregional consensus and thus increase the odds of consensus. This also builds on the practice of past GGE regional consultations, which served as two-way streets for exchanging information and including the points of view of states in the respective regions.
Linking capacity building and norm implementation
Second, after years of announcements, in the final report of the OEWG II, states should finally develop concrete proposals to advance the implementation of cyber norms. To this end, states should strategically design international cyber capacity building activities with norms implementation in mind: many states are already conducting a range of cyber capacity building activities abroad, but these are often of a general nature and not linked to cyber norms. Integrating the two would kill two birds with one stone. In concrete terms, the focus should be on those cyber norms that already enjoy stronger consensus – such as the commitment to global dialogue on cybersecurity (norm a), international cooperation to combat the use of information and communication technologies for criminal and terrorist purposes (norm d) and the protection of own critical infrastructure (norm g).
The UN Institute for Disarmament Research (UNIDIR) national implementation survey could also be used more extensively here. For now, the portal depends on states’ voluntary submissions. These will only be published on the survey website – instead of remaining only with UNIDIR – if states explicitly choose this option. This is where cyber capacity building programs can come in: they can incentivise participating states to familiarise themselves with the tool and reward them for using it to report on their own implementation steps and publish their responses. This would advance knowledge about practical implementation steps in different political contexts, increasing the odds of finding consensus language on norms implementation in the next report. Reports about these activities should then be brought to the OEWG II to advance the debate on norms implementation.
‘Adopt a norm’ approach
Third, states should also develop proposals for advancing the implementation of norms around which less consensus exists. The informal system of ‘adopting a CBM’ set up at the OSCE for confidence-building measures (CBMs) may serve as an inspiration for the field of cyber norms. In this system, a state ‘adopts’ a CBM and decisively drives its translation into concrete policy. In the case of cyber norms at the OEWG II, however, states should not act alone when it comes to cyber norms, but should also strive for international cooperation. Through such a system of ‘adopt a norm’, states could formulate and socialise proposals for the implementation of more controversial norms with high practical relevance, like the responsible handling of software vulnerabilities (norm j) or the integrity of supply chains of information and communication technology products (norm i). Such proposals could then feed into the OEWG II final report.
Stronger non-governmental voice
Fourth, subsequent sessions would benefit from a stronger voice for non-state organisations. There are two elements to this. First, as I have argued elsewhere, under the leadership of the chair, states should reconsider the modalities for the participation of non-state organisations, including limiting states’ veto power, enabling non-state actors to address all issues of the OEWG and creating remote participation opportunities for non-state organizations. Second, those non-state organisations whose participation was approved by states should consider tailoring their inputs to the forum. For the session of July 2022, many organisations prepared statements, ranging from general policy recommendations and descriptions of their activities to concrete wording suggestions for the annual progress report. The more the contributions of non-state actors focus on the latter, the higher the odds that states take up these proposals in their deliberations and potentially in their reports. This, in turn, will enhance the quality and legitimacy of any OEWG II outcome.
These four suggestions show that all involved stakeholders – states, the chair of the OEWG II and non-state organisations – can do their part to make future OEWG II sessions more productive than the meeting this past July. Room for step-by-step progress will likely remain, so it is essential to make the best use of it. After all, while the OEWG II is far from perfect, it is the only setting where all states come together to discuss cybersecurity matters.
About the Author
Alexandra Paulus is Project Director for International Cybersecurity Policy at Stiftung Neue Verantwortung, the Berlin-based tech policy think tank. Her work focuses on cyber diplomacy, the development and implementation of cyber norms and non-traditional actors in international cybersecurity policy.