The recent meeting of the OEWG on ICTs in New York was held amidst a climate of significant global cyber threats and geopolitical tensions. The meeting was successful in terms of attracting a high number of new proposals and broad participation from member states, which is particularly valuable in the current climate of multilateral uncertainty. However, the OEWG faces the challenge of addressing a wide range of issues while contending with polarised views on core cybersecurity matters. As a result, making meaningful and inclusive progress is challenging. While the process is crucial in promoting dialogue and building confidence among nations, it must also demonstrate impact in tackling the pressing issue of cyber threats. Striking a balance between these expectations and political realities is a complex but necessary objective.
The fourth substantive session of the UN’s Open-ended Working Group (OEWG) on information and communication technologies (ICTs) met from 6-10 March 2023 in New York, against a challenging backdrop of ever-increasing cyber threats and ongoing geopolitical tension. As both its Chairperson and the UN High Representative for Disarmament Affairs noted in their opening remarks, this context makes the Group’s work ever more urgent and necessary – but also more challenging. In this context there were plenty of mentions of the Russian invasion of Ukraine, highlighting how it has translated into a series of cyber operations and violations of the framework of responsible state behaviour by the Russians. While the chair often invited delegates to keep the discussion substantive, rather than political, many delegations openly condemned Russian actions and expressed solidarity with the Ukrainian delegation.
During the session, states discussed all six of the OEWG’s core topics. Doing so helped to lay the groundwork for the OEWG to adopt a second annual progress report (APR) at its next session in July, by identifying areas of convergence and agreement in response to guiding questions set out by the chair.
Threats of greatest concern
The discussion on threats and on the evolving landscape of malicious vectors (under paragraph 1 of UN General Assembly (UNGA) resolution 75/240) featured the largest number of statements from delegations. It is worth noting that, aside from the number of statements, many delegations who did not engage with this thematic area before took the stage to frankly discuss their concerns and priorities regarding threats that are either novel or on the rise. Many delegations – including the EU, Estonia, North Macedonia, Iceland, Morocco and many others – noted that the landscape has been evolving constantly and stressed that the APR should constitute an accurate depiction of issues to monitor.
Most delegations mentioned ransomware attacks as one of the most concerning risks, due to their enormous direct and indirect costs, their potential to paralyse critical services and their ease of deniability. In this context, Costa Rica provided a laudable and transparent recount of its own experience with the 2022 ransomware attack which escalated to the level of national emergency . The aforementioned ease of deniability of such devastating attacks makes attribution extremely hard, thus reinforcing the payoffs of ambiguous postures.
Similarly, generative AI technologies, quantum computing and the protection of critical infrastructures were flagged as critical issues to watch in coming years, due to the potential losses associated with their disruptive capabilities. The latter may cause full-blown paradigm shifts in the cybersecurity domain.
A particularly interesting proposal came from Kenya: that the OEWG create a repository of common threats, actors and voluntary reporting of incidents. The Kenyan delegation pointed out how the OEWG could facilitate the process through a multistakeholder cooperation platform. Another interesting point was raised by Romania: it pointed out that while technologies play a role in changing threat landscapes, their nature is not intrinsically malicious, and more attention should be devoted to states’ conduct and actions.
It is interesting to note how many of the threats raised by states in this session aligned with points made by non-governmental stakeholders during an informal meeting on the topic of threats convened by the OEWG Chairperson. The meeting, which took place on 1 March, covered existing and potential threats in the field of ICT security as well as their concrete implications for the OEWG’s discussion. In the informal meeting, diverse stakeholders raised concerns about the potential of AI and quantum computing to multiply existing cyber threats, as well as concerns about supply chain security, ransomware and so-called cyber mercenaries.
PoC directory progressing
Another topic that received much attention during the formal session and as part of a focused informal meeting held the week prior is the proposed Global Points of Contact (PoC) directory, which states agreed to establish in the APR adopted last year. A non-paper distributed by the chair in advance of the session helped to focus discussion by setting out possible elements for the PoC’s development and operationalisation. Reactions from states to the revised non-paper were varied but there was wide support on several aspects. These were:
- that the PoC be voluntary and politically neutral;
- that it act as a mechanism for building confidence and be developed in an incremental way;
- that table-top and other interactive activities be used in its operationalisation;
- and that it should not duplicate existing such networks or directories.
Relatedly, many states from Europe and Asia stressed the value of learning from existing directories, while a few others – such as Egypt and Venezuela – cautioned against this approach, noting that not all UN member states belong to existing networks or directories. The potential of the PoC for capacity building was also highlighted by a few delegations, such as Costa Rica, South Africa and Thailand. Per the chair’s paper, the PoC would be solely for governmental contacts, despite calls from some to widen it to include relevant non-governmental stakeholders – if not initially, then in the future.
The PoC has been described by some OEWG participants as ‘low-hanging fruit’ which, if established, could provide the OEWG with a concrete output. But the achievement of even low-hanging fruit cannot be taken for granted, nor its long-term impact guaranteed. There are still divided views about some key aspects, including its precise scope and purpose (for instance, the degree to which it can aid in diplomatic and crisis communication as well as be a forum for technical exchange) and the methods by which points of contact would engage with one another. Moreover, the PoC will ultimately be only one component of a package of decisions and compromises that states will need to negotiate with one another in July, in which such low-hanging fruit may become a bargaining chip for progress or agreement under other of the OEWG’s more contentious agenda items.
Russian proposal reintroduced
One of the more unexpected aspects of the OEWG session was Russia’s (re)introduction of its proposal for a UN convention on ‘ensuring international information security’. Co-sponsored by Belarus and Nicaragua, the proposal is the latest iteration of Russia’s longstanding desire to establish a global cyber treaty. The concept paper submitted to the OEWG and referenced during the March session includes 21 principles upon which a convention could be based, and notes cooperation and capacity building as among its objectives.
One analysis has noted the risks this proposal poses to digital human rights. Consistent with Russia’s position over many years, the proposal opens with the contention that a legally binding instrument is needed to close gaps in existing law. The proposal was quickly rebuked by many member states, who either reiterated the view that a legally binding instrument is not necessary or politically feasible in the current context or directly acknowledged the irony of such a proposal coming from Russia. Yet there are a handful of states besides Russia who also support a legally binding instrument in this area, and views on this surfaced not only in the context of the OEWG’s discussion about international law and ‘rules, norms and principles’ but also during the discussion about institutional dialogue, i.e. how the UN will continue to address international cybersecurity.
Virtual meetings with experts gain support
Another noteworthy development from the session’s discussion about international law was the growth in support for the suggestion that the OEWG convene dedicated meetings to focus on specific aspects or types of international law, and feature presentations from relevant experts. This would enable more detailed and focused discussion than has been feasible so far. It was suggested that such meetings could be convened virtually between now and the July session. The release, during the OEWG, of a series of briefing papers from the International Committee of the Red Cross on how and when international humanitarian law (IHL) applies to state use of ICTs underscored the necessity of involving legal experts in future OEWG discussions on topics of law.
Cyber PoA debated
Bound up in the OEWG’s discussion about law and future instruments is the proposal for a cyber Programme of Action (PoA) – originally proposed by Egypt and France – debated mainly on the final day of the session. There continues to be wide and cross-regional support for creating a PoA, but even supportive states articulate differing visions for the potential instrument’s scope and purpose, and view it as another dialogue process. Many look to a PoA primarily as a forum for cyber capacity building and for matching needs with resources. Some states point to it as a vehicle to support implementation of the UN framework (i.e. the UN cyber norms and existing international law); a few view it as a space to potentially expand the framework. A smaller group of states oppose the PoA entirely, either because of a preference for a legally binding instrument or because of concerns over creating parallel UN processes. A complicating factor is the question of whether a PoA will eventually replace the OEWG when the OEWG concludes work in 2025, or if it would co-exist with the OEWG’s successor.
In the UN system, PoAs and OEWGs have distinct roles, but the lack of clarity around the purpose of a future cyber PoA is blurring that distinction. The next few months will be significant for the PoA: per a UNGA resolution adopted in late 2022, states are invited to submit to the UN, by mid-April 2023, their views on the possible instrument’s ‘scope, structure, and content’, as well as possible modalities for its establishment. Submissions will form the basis of a report from the UN Secretary-General to the UNGA in 2023, which will likely determine the way forward for the PoA. Despite the many uncertainties, the PoA seems to remain one the most concrete bets to create a substantive and permanent action-oriented forum. It is, in fact, an opportunity to craft a roadmap for an inclusive, policy-oriented platform.
Progress on gender diversity
The fourth OEWG session took place at the same time as the annual UN Commission on the Status of Women (CSW), which this year zoomed in on technology and innovation in the context of gender equality as a priority theme. The energy of the CSW, which attracts thousands of civil society participants and consistently features a robust side event calendar, added a boost to the growing support for gender within the OEWG. This includes support for gender-sensitive cyber capacity building and efforts to narrow the gender digital divide, as well as the promotion of women within the OEWG and cybersecurity more broadly. These points have all been reinforced in the final consensus report of the 2019-2021 OEWG and the July 2022 APR and bolstered by relevant substantive contributions from states and non-governmental stakeholders alike. The OEWG’s Women in Cyber fellowship program has been key to improving gender diversity among participants and speakers at OEWG sessions; during the fourth substantive session, women delivered 47% of total interventions.
The perennial issue of non-governmental stakeholder access to the OEWG turned up again for this fourth session. While there was some ‘progress’ this time, in that more organisations had their accreditation requests approved than in any previous session, quite a few were denied, including those of many key actors. Ukraine explained that it had vetoed the requests of organisations that it believes to be affiliated with the Russian government; the Russian government said that it carefully reviews all applications and denies those that it believes are not truly independent. Canada and the European Union condemned non-transparency in the process and delays in the accreditation process that made it challenging for stakeholders to obtain travel visas. The denial of visas by the United States to diplomats and stakeholders alike was raised by Russia as an issue for both its nationals and those of other countries; this is an issue that arises in multiple processes based at UN headquarters in addition to the OEWG.
An important moment in time
The richness of substantive content and proposals have been attributes of the OEWG process since its inception. The fourth session may have even seen a record number of new proposals, as summarised by the DiploFoundation, as well as high and diverse levels of participation among member states. At a time when multilateralism is under threat, an open forum for dialogue and exchange on such a consequential aspect of international peace and security is valuable and, as repeatedly pointed out by delegates, is a de facto confidence building measure. Yet the OEWG risks becoming a victim of its own success by trying to cover too many things, all at the same time. Polarised views on core cybersecurity issues also make meaningful and impactful progress challenging. The ongoing obstacles to stakeholder participation also risk undermining the credibility, and effectiveness, of its outcomes.
The OEWG’s fifth substantive session from 24-28 July will be a negotiating meeting, and is the midway point for the overall process. Given the realities of the cyber threats facing our interconnected world, this process needs to demonstrate impact. Striking a balance between that expectation, and political realities, is an elusive but important goal.
 For a previous EU Cyber Direct engagement on the matter see: https://eucyberdirect.eu/events/investigating-ransomware-lessons-from-international-cooperation-against-cybercrime
About the Author
Allison Pytlak & Andrea Salvi
Allison Pytlak is the Program Lead of the Cyber Program at the Stimson Center. She has researched, published, and provided several trainings about the gendered dimensions of cyber security and diplomacy including in her prior role with the Women’s International League for Peace and Freedom (WILPF). Dr Andrea Salvi is Senior Analyst at the EU Institute for Security Studies, where he leads the analysis of cyber and digital issues, and he is the Project Director of the EU Cyber Diplomacy Initiative - EU Cyber Direct.