United Nations OEWG on ICT Security

Pavlina Pavlova Commentary

The United Nations Open-Ended Working Group on the security of and in the use of information and communications technologies (OEWG) concluded its seventh substantive session in early March. Delegations gathered in New York to discuss proposals to advance the framework of responsible behaviour in light of present and emerging cyber threats and the needed capacity-building efforts. With the group’s mandate expiring in 2025, the urgency of a broader agreement grows on the contested issue of regular institutional dialogue.

The global cyber landscape has been evolving rapidly, with increasingly more vital services falling victim to State-sponsored attacks and cybercriminals alike. A number of States highlighted in their interventions the threat of ransomware against parts of critical infrastructure and services that can reach the level of international security and therefore should be addressed at the OEWG. Delegates also pointed to the risks of misuse of artificial intelligence (AI) for conducting cyberattacks. As described by Portugal, AI emerged as a leveller across multiple threat actors, allowing rogue States to exploit advanced technology for offensive cyber programs. The final wide-ranging list of threats during this session covered everything from the use of large language models (LLMs) for developing new, more sophisticated threats and malware to the expanded attack surface of Internet of Things (IoT) devices and cloud computing.

The increasing frequency, scope, and sophistication of cyber incidents and operations come at a human cost. As highlighted by Belgium, people and individuals suffer from cyberattacks, particularly when those incidents destroy and disrupt critical infrastructures and, in their consequences, deprive populations of basic services. South Africa pointed to the further complexity of such attacks, stemming from the growing potential for misuse and manipulation of AI to disrupt the functioning and availability of vital systems, which poses a formidable challenge to national security, can lead to panic and place human life at risk. In times when consensus decisions are scarce in the field of international security, acknowledgments of the underlying human consequences have the potential to build shared considerations across regions. This important work needs to be carried on and developed in future mechanisms. Two concrete ideas already emerged. The United Kingdom suggested that future working groups could also include victims of cyberattacks, and Belgium proposed a victim-based approach to be integrated into the regular institutional dialogue with the creation of a committee on victims’ assistance.

Amid the growing threats, the current pace of operationalizing these “rules of the road” in cyberspace seems insufficient and admittedly more needs to be done at the international level to foster meaningful cyber accountability. To help with the implementation of cyber norms, the Chair published a discussion paper on a checklist of practical actions. This draft received generally positive feedback in the plenary with some criticism on the duplication of proposed measures. As discussions continue to finalise the proposal and add more concrete language, other initiatives, such as Canada’s norm implementation guidance text, the UN Office for Disarmament Affairs (UNIDIR) Survey of National Implementation, the Singapore-UNODA norms implementation checklist, as well as the previous efforts of the Australian Strategic Policy Institute should be considered in order to build stronger consensus language.

Already in 2013, States confirmed by consensus that international law applies in cyberspace. The question remains how it applies. Two positions on the application of international law in cyberspace were published to coincide with the session – national views by the Czech Republic and a joint position by the African Union. A cross-regional group of countries Brazil, Canada, Chile, Colombia, the Czech Republic, Estonia, Germany, the Netherlands, Mexico, the Republic of Korea, Senegal, Sweden, and Switzerland published a working paper on the application of international humanitarian law to the use of ICTs in situations of armed conflicts. These joint initiatives, together with the widely credited UNIDIR scenario-based exercise on the application of international law and similar practical workshops, can have a ripple effect on the remaining States who are yet to come forward with their national positions and help build shared understandings and capacity on this key issue.

The global cyber points of contact (PoC) directory is finally coming to realisation under the UN Office for Disarmament Affairs. Though commonly referred to as “a low-hanging fruit” for building confidence in cyberspace, it will present a tangible legacy of this OEWG. Some 25 countries nominated diplomatic and technical points – generally represented by Ministries of Foreign Affairs and national Computer Emergency Response Teams (CERTs) – by the end of the March session, with others expected to do so by the April deadline to be ready for the ping test scheduled for June. This PoC directory will create secure direct communication lines between States and primarily serve to de-escalate potential future tensions that could otherwise lead to conflict. Several States encouraged the development of further confidence building measures (CBMs), for example, by taking the inspiration from the OSCE existing work, including measures related to the protection of critical infrastructure. Others stressed the necessity of operationalisation of the four already agreed-upon CBMs, and thus escaping the fate of that they “stay only on paper”.

Capacity-building efforts are enjoying prime time in the OEWG discussions – a trend that is set to continue as countries grapple with increasing needs to address cyber threats both on the technical and political levels. To survey the global landscape of capacity-building programmes and initiatives, the Secretariat conducted a mapping exercise, including considerations for gender-sensitive capacity-building, specific needs of developing states to narrow the digital divide, and the role of cyber resilience for sustainable development. In preparation for the dedicated Global Roundtable on ICT security capacity building scheduled in May this year, the Chair has issued an open invitation to States and interested stakeholders. This high-level event hopes to leverage the UN convening role to build partnerships, facilitate multistakeholder cooperation, and ensure synergies between national, regional, and international initiatives, though a question remains how much can be achieved in a single day.

As the group’s mandate expires next year, the urgency grows to agree on the future format of regular institutional dialogue. France presented the structure of the Cyber Programme of Action (PoA), designed as a single-track process to host UN discussions on international ICT security post 2025. The proposal envisions three foci – review conferences, implementation of norms for responsible behaviour, and open-ended discussions. The United States further highlighted the need for a “gold standard” for stakeholder participation and a necessity for a seamless transition to the PoA that should be outlined in the OEWG upcoming reports. Still, the PoA resolution that passed at the UN General Assembly with a wide majority of 158 countries includes only weak language on stakeholder participation. This is to the detriment of the overall ambition and appeal of the proposed future mechanism. As illustrated by the joint working paper on stakeholders contributions co-ordinated by Canada and Chile, stakeholders are at the centre of cyberspace, be it as owners and operators of elements of the infrastructure, or as the voice of affected communities.

Russia meanwhile proposes to extend the OEWG indefinitely and reiterates points from a concept paper supported by a group of thirteen countries that was circulated last December. This proposal calls for legally binding rules, norms and principles, adapting international law to “fit” cyberspace, and establishing specific programs or funds for cyber capacity building and presents a step down from the initial call for a Convention on ICT security that has not met with larger support.

Amid competing visions, concerns grow about the potential fragmentation of the future dialogue. Brazil reacted to these developments by proposing a moratorium on competing resolutions outside the OEWG until the issue finds consensus within the group – a sentiment echoed by a number of countries. Parallel processes would indeed exacerbate the divide between countries, overwhelming particularly small and developing countries with limited resources to participate in these discussions and, importantly, undermine the ubiquity of the framework of responsible behaviour. To help reconcile the competing visions, the Chair put forward a discussion paper reflecting on the common elements that have been agreed in the Annual Progress Reports, serving as a basis for achieving consensus among Member States. This effort was notably supported by China which has been trying to position itself as a go-between actor.

While the productive atmosphere of 2021 when both the first OEWG and the UN Group of Governmental Experts (GGE) running in parallel agreed by consensus on complementary final reports is gone, States will need to find common ground to ensure the continuity of this process. The current OEWG has started its work with a clash over stakeholder modalities – something that the next mechanism will have to effectively address – and runs its course through a worsening geopolitical environment. Today, contributions of actors from industry, academia, and civil society, as well as technical, policy and legal experts are amply acknowledged, yet missing meaningful formalisation. Despite cross-regional consensus forming around the many contributions of stakeholders, only eighty-seven organisations have been accredited to participate in the process, while many key non-governmental actors remain vetoed by a handful of countries. The future regular institutional dialogue must act on this gap by showing strong ambition for incorporating the expertise, experiences, and resources of stakeholders and means to facilitate issue-based and needs-driven collaboration.

Thumbnail image: credits to @pawel_czerwinski on Unsplash


About the Author

Pavlina Pavlova

Pavlina Pavlova is a #ShareTheMicInCyber Fellow at New America and a Public Policy Advisor at the CyberPeace Institute. She has served as an official at the Organization for Security and Co-Operation in Europe (OSCE) and coordinated programmes strengthening the human dimension of security. Her research examines the impact of technology on people and translates the evidence into recommendations for improved governance.

Share this Article