Art, Graphics, People, Person, Logo

What’s new with cybersecurity negotiations? The informal OEWG consultations on capacity building

Published on 24 July 2023

In May 2023, delegations met in New York for an informal meeting on capacity building and discussions on all topics under the Open-Ended Working Group’s (OEWG) mandate. Lines drawn long ago don’t seem to be budging. Operalisation and implementation of existing vs elaboration of new rules and mechanisms are causing issues across the board. It seems that the discussions on threats is the most straightforward. Let’s delve into the intricacies of these discussions to gain a deeper understanding of the current dynamics.

Want to know more about UN OEWG? Visit our dedicated Digital Watch page.

capacity building icon

Capacity building

At the first session of the OEWG intersessional meetings, the chair held an informal roundtable on cyber capacity building where UN agencies and international organisations spoke on capacity building in the area of ICT security.

First, the Counter-Terrorism Committee Executive Directorate (CTED) emphasised its role as a key facilitator of capacity -building for member states in the field of ICTs and terrorism. CTED identified critical technical assistance gaps in combating terrorist and violent extremist activities online and made a number of recommendations for member states to address those challenges CTED highlighted comprehensive training programmes designed for law enforcement and criminal justice practitioners dealing with digital evidence as well as technical assistantships on how to identify and investigate terrorism-financing crimes committed online using virtual currencies, new payment methods, and cyber-based fundraising techniques. CTED highlighted the significance of public-private partnerships, such asTech Against Terrorism or CTED’s Global Research Network

The UNOCT/UNCCT Global CounterTerrorism Programme on Cybersecurity and New Technologies called upon member states to develop strategies for reducing risks to critical infrastructure from terrorist attacks and emphasised the need for cooperation between Computer Security Incident Response Teams (CSIRTs) and law enforcement. They presented recommendations for cyber capacity building, including raising awareness and implementing guidelines, utilising open-source information for analysis, conducting dark web investigations with digital evidence for prosecution, and conducting tabletop exercises and cyber drills to enhance preparedness and collaboration in response to terrorist cyberattacks. 

Finally, the UN Institute for Disarmament Research (UNIDIR) outlined ways in which the OEWG could better support UNIDIR’s capacity-building work, including Annual Programme of Work reviews to identify priority issues, dedicated discussions on selected topics, and increased awareness and promotion of existing resources.

Avoiding the duplication of efforts

Calls to avoid the duplication of existing efforts are a staple in any UN discussion, and that includes the OEWG. The potential roles of UNIDIR and the Global Forum on Cyber Expertise (GFCE) in sharing information and resources for cyber capacity building are consistently highlighted. What set this particular session apart from others was that countries went beyond merely urging against duplication. Instead, they proposed synergies between existing mechanisms, suggesting that these mechanisms could complement one another rather than being viewed as separate instruments. This departure from the usual approach signals a shift towards seeking collaborative solutions and maximising the effectiveness of existing frameworks.

Japan, the Philippines, and Iran suggested instrumentalising initiatives already under the auspices of the UN. Japan proposed utilising the UNIDIR cyber portal to share information on national and regional capacity-building initiatives. The Philippines and Iran suggested approaching existing initiatives under the UNODC and ITU in a collaborative manner, through knowledge sharing, tailored adaptation, and resource sharing. Switzerland noted that states should examine how the UNIDIR cyber policy portal and UNICEF are working together to create a new cyber capacity-building mechanism and how synergies with existing platforms like the Global Forum on Cyber Expertise (GFCE) cyber portal can be used. 

Canada and Chile stressed the role of the GFCE for its active participation in formulating strategies for cooperation, assistance, and capacity building in all regions of the world. 

However, some states feel existing mechanisms, instruments, and bodies are simply not enough. For instance, India reiterated its proposal for developing a Global Cyber Security Cooperation Portal (GCSCP), a new coordination mechanism under the auspices of the UN. We wrote about this proposal in March.

The role of regional organisations

Regional and sub-regional organisations were once again hailed as having an important role to play in providing and leading capacity-building programmes. Chile and Colombia noted that regional organisations should be acknowledged in the recommendation section of the second OEWG Annual Progress Report (APR). Singapore proposed that the OEWG consider how to best utilise existing regional and international capacity-building programmes and compile a repository of best practices for programme design.

A needs-based approach to capacity building

Many countries also underlined a needs-based approach to capacity building. This, of course, is one of the principles set forth in the first OEWG APR for developing capacity-building programmes.

Bangladesh highlighted the rapid advancement of AI and emerging technologies and the need to address the skill gap by enhancing digital literacy, technical skills, and knowledge of AI and other emerging technologies. Syria focused on developing countries gaining access to relevant technologies and technical assistance tools and equipment for detecting, responding to, and recovering from malign ICTs activities.

A new proposal! OEWG to organise a conference on capacity building

Singapore proposed that the OEWG should organise an informal conference of capacity-building practitioners to exchange ideas and best practices.

New proposals! How to identify countries’ needs and match them with capacity building initiatives

The Netherlands proposed a four-step cycle to identify and match needs with capacity-building resources. 

The USA recommended briefings from expert organisations such as the International Committee of the Red Cross (ICRC) to identify countries’ needs.

Bangladesh, Singapore, and Syria proposed training initiatives to address identified skill gaps in developing countries.

Singapore suggested that capacity-building programmes should focus on five key dimensions: cyber policy, cyber operations, technical skills, international law in cyberspace, and diplomacy.

The gender dimension of capacity building

During the discussion, integrating the gender dimension into capacity-building efforts emerged as a prominent topic across country interventions, a departure from previous sessions where it was seldom mentioned. Several countries, including Bangladesh, Japan, the Netherlands, the Philippines, Uruguay, South Africa, Switzerland, the UK, Ecuador, and Czechia, emphasised the significance of incorporating a gender perspective into capacity-building initiatives. They stressed the importance of inclusivity, non-discrimination, and transparency in these cyber-capacity efforts.

However, despite the recognition of the gender dimension in ICT use and some countries’ mention of their national efforts, there were limited concrete proposals on integrating gender into capacity-building mechanisms within the framework of the OEWG.

PPS and the SDGs

Another topic many countries touched on was the importance of public-private partnerships with industry and civil society for greater capacity building. Many countries also advocated for integrating capacity building with SDGs and development agenda.

Existing and potential threats

Threat repository

Kenya elaborated upon its March 2023 proposal for creating a UN-run threat repository to enhance global coordination in preventing and responding to cyber threats. The repository would serve as a centralised platform for sharing information on new and emerging cyber threats, facilitating informed responses, and improving cyber resilience. The UN Office of Disarmament Affairs would oversee the repository, ensuring data integrity while providing searchable databases, real-time updates, and assistance mechanisms for member states. Bangladesh, France, Colombia, and the Netherlands expressed their willingness to explore the proposal further.

And as it always happens when a new mechanism or body is proposed, calls for taking stock of what already exists followed. The UK and Argentina suggested mapping existing mechanisms that counter threats in cyberspace, like the Counter Ransomware Initiative. Argentina also highlighted the CERT and CSIRT networks, the Forum for Existing Response and Security Teams (FIRST), Lithuania’s Malware Information Sharing Platform, and India’s Trident ransomware resilience platform. The UK further suggested that diplomatic and technical Points of Contact (PoCs) should communicate with their own counterparts to avoid duplicating the functions of CERT or CSIRT networks. 

Russia, on the other hand, stressed the lack of a universal methodology for identifying perpetrators and the need to develop new measures to counter the range of threats to information security.

List of threats: AI and ransomware are top concerns

Bangladesh drew attention to the numerous emerging threats such as ransomware attacks, deepfakes, quantum computing, and digital identities as vectors for future cyberattacks. The dawn of generative AI also brought AI into the discussions. Bangladesh and Czechia particularly drew attention to the dangers of AI-powered hacking and AI manipulation of humans’ emotions and thoughts.

Additionally, El Salvador put forward a statement on AI as emerging and potential threat, aligning its development with government frameworks to ensure AI safety. They emphasised the importance of implementing regulations to promote awareness among individuals regarding AI-generated photos and videos (especially deepfakes). Moreover, El Salvador acknowledged the significant potential of AI applications in nuclear deterrence and security doctrines, cautioning against the risks they pose to strategic stability by potentially escalating unintentional nuclear use.

The surprising omission of ransomware in the first OEWG APR, despite the widespread acknowledgement of its significance as a threat by most countries, has led to its continued prominence in the ongoing discussions. Several countries, including the UK, Czechia, South Korea and Singapore, raised concerns about the ever-growing ransomware threat in ICT security and stressed the need for a better understanding of these risks. Argentina, Chile, El Salvador, and New Zealand called for the recognition of ransomware as a major threat in the next APR, highlighting its evolution into an advanced persistent threat. 

It can be anticipated that AI will continue to gain momentum in ongoing discussions within the OEWG. The extent of AI as an existing threat has been further formulated since the sessions in March, with a greater focus on the impact of AI on individuals and the need for government legislation around AI development. As a result, further proposals to operationalise tools and mechanisms for managing AI-related risks are likely to arise. When it comes to responding to the threat of ransomware, a key consideration remains uncertain: whether the focus will be on creating new tools or prioritising the coordination and enhancement of existing ones.

INTERNATIONAL LAW icon

International law

When summing up the discussions on international law for the OEWG’s March 2023 session, we wrote that the faultlines from the previous discussions remain. We must now reiterate the same. The lack of progress towards convergence has prompted many calls for more discussions on international law within the OEWG.

The need for a new legally binding instrument: Are discussions premature?

China reiterated that additional new binding obligations are needed. According to Iran and Russia, a new legally binding instrument is not only needed, but urgently needed. Bangladesh also noted they recognise the merit of developing a dedicated international legal framework tailored to the distinct characteristics of the ICT environment. 

However, the majority of states are not in favour of a new legally binding instrument. There has, in fact, been a shift in rhetoric: This camp is now calling negotiations on a new legally binding instrument ‘premature and unnecessary’, noting that states must first figure out how to apply the existing framework. It is worth noting, though, that this does not exclude such negotiations, as the EU and the USA put it: If gaps in common understanding are found, or it is found that existing law cannot address some aspect of conduct in cyberspace, then it can be considered whether additional legally binding obligations could be proposed. 

The applicability of international humanitarian law: To be discussed

The discussions on the applicability of international humanitarian law (IHL) to cyberspace continued to feature as a topic of friction. While a majority of countries agreed that IHL is applicable to cyber operations conducted in the context of armed conflict, Russia is firm in insisting that the existing norms of IHL do not automatically apply to cyberspace – specific circumstances must be considered, and norms must be adapted accordingly. Further study is needed on how and when IHL can be applied to the use of ICTs by states and codifying such an understanding in a legally binding instrument. China underlined the importance of handling the applicability of IHL with prudence and preventing turning cyberspace into a new battlefield. 

The USA, France, Czechia, and New Zealand noted that recognising IHL applicability to cyberspace is not equal to promoting the militarisation of cyberspace. France, New Zealand and Czechia underlined that such discussions are aimed at ensuring the protection of civilians and civilian infrastructures at all times, including in times of conflict. Chile noted that it helps build trust and predictability.

A common line of thought is, however, that the application of IHL should be discussed, and should be a topic of focussed discussion at the OEWG.

Principles of the UN Charter
How is sovereignty understood in the context of the use of ICTs by states?

What may states exercise their sovereignty over?

The general consensus is that states exercise sovereignty over their ICT infrastructure within their territories. El Salvador specifically clarified that this includes physical, digital, and cyber infrastructure, as well as the equipment facilitating data flow, applications, and interoperability standards, including submarine communication cables. Iran also noted that states exercise sovereignty over cyber equipment and added critical infrastructure (CI) and critical internet infrastructure (CII) to the list.

The issue of data sovereignty was highlighted by China and Iran, who emphasised that states have sovereignty over data. Iran defined this as ‘data originated or ended in their territory or devices under its control or in the adjacent area’. China also noted that states exercise sovereignty over related resources. El Salvador and China underlined that states exercise sovereignty over ICT-related activities in their territories. El Salvador noted that states control interactions in cyberspace to prevent misuses and criminal activities, in line with states’ due diligence obligations. 

Austria noted that states exercise sovereignty over persons engaging in cyber actions on their territory, while El Salvador stated states exercise sovereignty by understanding the legal status of cyberspace in three layers: ‘a physical layer composed of the cyber infrastructure; a second layer of software logic; and, a third layer of cyber-persona, also representative of the social aspect of cyberspace linked to real people or to digital personas’.

When do cyber operations violate sovereignty?

For the Netherlands, a violation of sovereignty occurs when a state’s cyber activities infringe upon the territorial integrity of the target state.

The Netherlands, Singapore, and New Zealand share the view that violations of sovereignty occur when cyber activities disrupt another state’s governmental functions. For Singapore and New Zealand, that includes the state’s right to freely choose its political, economic, social, or cultural system. Singapore also added the formulation of state foreign policy, while New Zealand highlighted national security and policing. Examples Singapore provided are interference with the electoral processes of another state or cyberattacking a state’s infrastructure in an attempt to coerce its government to take a certain course of action on a matter ordinarily within its sovereign prerogative. 

Japan and the Nordic countries noted that cyberattacks resulting in physical damage or loss of functionality are breaches of sovereignty. The Nordic countries added cyber operations that alter or interfere with data without causing physical harm may, depending on the specific circumstances, also violate sovereignty.

New Zealand noted the element of coerciveness (namely, that there is the intention to deprive the target state of control over its governmental functions). For Iran, any use of cyber coercion with physical or non-physical effects that threaten national security or may lead to political, economic, societal, and cultural destabilisation, constitutes a threat to sovereignty. However, for Austria, intrusive or disruptive cyber operations, even when not amounting to coercive interference, might still violate sovereignty.
South Africa and Ireland underlined that a breach of sovereignty in cyberspace might amount to an internationally wrongful act. For Ireland, this is true regardless of whether the cyber activity falls short of the threshold of non-intervention or  the use of force. El Salvador, on the other hand, notes that while cyber operations that limit another state’s sovereignty are prohibited under international law, there are exceptions that should be analysed case by case

How should states settle their international disputes by peaceful means in the context of the use of ICTs by states?

States must endeavour to settle such disputes in line with the peaceful means set out in Article 33 of the UN Charter, the majority of states agreed. Austria also noted that the article offers states flexibility regarding the means that they can use to resolve their disputes peacefully.

Japan, South Korea, New Zealand, and France noted that the powers of the UN Security Council, based on Chapters 6 and 7 of the UN Charter, should be used in disputes stemming from cyber operations. The latter two underscore that states can bring any dispute, or any situation likely to endanger international peace and security, to the attention of the UN Security Council, under Art 35. of the UN Charter. Japan noted that the functions of the other UN organs, including the International Court of Justice (ICJ), based on Chapter 14 of the UN Charter, and the Statute of the International Court of Justice, should be used in disputes stemming from cyber operations.

The Netherlands, Switzerland and Japan noted that the Points of Contact (PoC) directory could also contribute to the peaceful settlement of disputes, as it stimulates contacts and the exchange of information between states.

When does a cyber operation constitute a threat or use of force under Article 2.4 of the UN Charter?

Cyber operations may constitute a threat or use of force and a violation of the UN Charter if the scale and effects of the operations are comparable to ones using kinetic means, according to Austria, Switzerland, the UK, France, and New Zealand. For Ireland, if the cyber operations scale and effects correspond to those of a physical use of force, it may constitute a threat or use of force. For the Netherlands, a cyber operation with a very serious financial or economic impact may potentially qualify as the use of force. Estonia also underlined the impact of the cyber operation, South Africa noted it depends on the operation’s effect and scale of the operation, the Nordic countries that it depends on its gravity, while Japan noted it depends on certain circumstances but did not go into detail. Singapore listed the following: the prevailing circumstances at the time of the cyber operation, the origins of the cyber operation, the effects caused or sought by the cyber operation, the degree of intrusion of the cyber operation, and the nature of the target.

The states also discussed the conditions for invoking Art. 51 of the UN Charter (right to self-defence in case of armed attack). Ireland noted that cyber operations could only reach the threshold of armed attack in exceptional circumstances. In Singapore’s view, ‘malicious cyber activity attributable to a state that causes death, injury, physical damage or destruction equivalent to a traditional non-cyber armed attack, or presenting an imminent threat thereof’ would constitute an armed attack. However, Singapore also noted that malicious cyber activity may amount to an armed attack based on its skill and effects, such as sustained infrastructure outages or a series of coordinated cyber attacks.

What role can other UN bodies play in advancing the understanding of the implementation of international law?

South Africa reiterated that the International Law Commission (ILC) could contribute to the discussions, which Iran, El Salvador, Malaysia, and Colombia supported. South Africa also suggested using the expertise of other UN bodies that deal with cyberspace, state behaviour and international law, such as UNIDIR. Colombia noted that the UN Office of Legal Affairs could contribute thematically to the discussions on international law.
On the other hand, Australia noted that the application of international law to peace and security in cyberspace is firmly within the OEWG’s remit and that, should other UN bodies start discussing the same, states’ understanding of how international law applies to cyberspace could fragment.

A new proposal! Debates on scenarios selected by UN bodies

Germany proposed that further focused discussions be based on concrete and potentially real scenarios which would be chosen by UN bodies. The real conditions would lead to an increased level of credibility, and ultimately tackle the question of whether the existing legal framework can address these issues. Germany suggested that these case studies can cover election interference or cyberattacks on critical cyber infrastructure. The Netherlands supported the proposal.

norms rules icon

Rules, norms, and principles 

The implementation of existing norms

Per usual, the implementation of already agreed-upon norms was at the centre of discussions, with a majority of countries continuing to stress the implementation of the already established 11 voluntary, non-binding norms of responsible state behaviour in the 2015 UN Group of Government Experts (GGE) consensus report, unanimously endorsed by the UN General Assembly (UNGA). 

Several delegations emphasised the need for more focused discussions and highlighted the crucial role of capacity building in ensuring the practical implementation and realisation of norms beyond paper. Once again, a needs-based approach to capacity building for norms implementation was underlined.

To offer more concrete guidance on norms implementation, Singapore is developing a preliminary norms implementation checklist with UNODA and ASEAN member states under the UN Singapore Cyber Programme. The checklist is envisaged as a simple guide for a set of actions that countries could take towards implementing the 11 norms. A preliminary checklist consisting of norms G, J, and K has been developed. Singapore believes it could serve as a guide and reference for all states and support them in their norms implementation journeys.

Canada has also been working with stakeholders and states like the USA and the Netherlands to develop a paper with additional guidance on norms in general, starting with the norms on critical infrastructure,  and including the essential role that civil society would have to play in implementing them. They highlighted the work of the Cyber Peace Institute, Microsoft, the Royal United Services Institute, and the German think tank Stiftung Neue Verantwortung (SNV) in the drafting of the paper.

The EU and Japan suggested the PoA could guide national efforts to implement frameworks of responsible state behaviour. More on that in the section on PoA. 

Formulating new norms

Some countries are in favour of formulating new norms. For instance, China proposed formulating new rules that effectively address global issues around data security, cross-border data flow and the protection of personal information. Bangladesh advocated for a flexible framework around norms creation in cyberspace, noting that developing additional norms should be seen as an ongoing exercise of evaluating, updating, and recalibrating the norms based on needs, rather than when a one-time event arises. In Iran’s view, any agreed-upon norms should be discussed within the OEWG forum, which should hold dedicated sessions and a thematic subgroup to draft a final set of norms prior to their operationalisation. 

The emphasis on practical implementation rather than mere endorsement of norms highlights nations’ need for tangible actions to promote responsible state behaviour in cyberspace. Capacity building emerges as a crucial element in this regard, emphasising the importance of equipping nations with the necessary tools and knowledge to effectively implement these norms.

The discussion surrounding the formulation of new norms in cyberspace highlighted the evolving challenges in governing this domain. On the one hand, there are countries that acknowledge the 11 established norms of responsible state behaviour and advocate for their implementation. However, they may encounter difficulties in operationalising these rules, due to the ever-changing cyber landscape.

On the other hand, some delegations question the existing norms and challenge their scope. They argue that the process of norms-setting in cyberspace should be continuous and adaptable to address emerging challenges in the digital domain. Yet, when faced with an ever-changing list of norms, operationalising rules on responsible state behaviour could be challenging.

An alternative perspective is that the operationalisation of the established 11 norms could serve as a foundation for the creation of new norms that reflect the ongoing challenges in cyberspace. Their operationalisation would require a flexible and responsive framework to create norms around cyber-related issues as they emerge.

Iran argued that before taking steps towards the operationalisation of norms, the OEWG needs to agree on a final and comprehensive list of obligatory and universal norms. The country emphasised that all norms, rules, and principles of responsible behaviour of the state must be discussed and adopted by consensus within the OEWG.

confidence icon

CBMs

During the session on confidence-building measures (CBMs) delegations discussed concrete proposals to approach the operationalisation of CBMs, and also made some proposals regarding the possibility of new CBMs.

Operalisation of CBMs

Some delegations (e.g., Canada, Chile, the EU, the Netherlands, Singapore, and the USA)  reiterated the role of regional organisations and supported mentioning this in the second OEWG APR New proposals were also made for the operationalisation of CBMs.

Other delegations echoed the proposals to enhance transparency. For example, Switzerland stressed that the operationalisation should start with the CBMs that are easier to implement, for example, those which lead to better cooperation and dialogue, as well as transparency. Canada also supported enhancing transparency and, in particular, acknowledging that a state has an offensive cyber capability that will be used in accordance with international norms and laws. Canada also proposed providing more transparency about what states classify as critical infrastructure, while supporting Singapore’s suggestion to organise a workshop. Australia also emphasised the need for greater transparency regarding ICT security agency missions and functions, as well as their legal and oversight regimes. 

Germany, on behalf of the Confidence Builders Group (Argentina, Australia, Brazil, Canada, Chile, the Czech Republic, Fiji, Israel, the Republic of Korea, Mexico, the Netherlands, Singapore, Uruguay, and Germany) presented the joint working paper to set incentives for the operationalisation of a PoC directory.

The possibility of new CBMs

Mexico argued that the development of new CBMs should remain on a voluntary basis. Pakistan proposed to focus on new CBMs in areas such as capacity building, research in cybersecurity, exchange of best practices and addressing disinformation and fake news. Russia added that the voluntary and non-binding nature of CBMs limits their efficiency. 

New proposals! An informal workshop on critical infrastructure protection and using UNIDIR to enhance transparency 

Singapore proposed an informal workshop with technical experts, policymakers, and diplomats on considerations and challenges to protect critical information infrastructure, and thus to identify capacity-building needs and map them into actionable implementation of the CBMs. 

Singapore also proposed enhancing transparency by utilising existing resources such as the voluntary UNIDIR Cyber Policy Portal, and added that the portal could be further developed to include a points of contact (POC) with relevant excerpts of the organisational charts and contact details that would be kept up-to-date annually.

New proposal! Informal virtual meetings to share info on PoC directory

The Confidence Builders Group suggests that, in particular, regular informal virtual meetings could be held by UNODA to share practical information regarding a POC directory, such as agenda activities and exercises, among others.

New proposals! 

Germany proposed two measures based on Organization for Security and Co-operation in Europe (OSCE) regional practices to enhance the protection of critical infrastructure and to promote cooperative activities to reduce risks.
In developing new CBMs, Russia proposed agreement on basic universal principles and, in particular, stressed that it is important to observe the principle ‘do no harm – i.e. new CBMs should not cause harm to the security of other states, provide advantages to any state or group of states in the military, political, economic or other spheres, should not be used as a tool for interference in the internal affairs of states, or as an instrument or pretext for sanctions or other unilateral measures.

dialogue icon

Regular institutional dialogue

In recent years, states became divided on future regular institutional dialogue, or, in other words, what will come after the current OEWG, with three main possibilities emerging.. Some delegations prepared elaborate proposals based on the details of the Programme of Action (PoA), some delegations outright opposed the PoA at this stage, and some delegations just wanted to avoid duplication of efforts. Such a division was present at this informal meeting as well.

Among the supporters of the PoA, coordinating capacity-building efforts and implementing the already agreed-upon framework are considered to be within the scope and goals of the PoA. 

New proposals! How the PoA can coordinate capacity-building efforts and create synergies across existing instruments

The EU, the Netherlands and Estonia mentioned that the POA should seek to leverage relevant existing initiatives and build on existing capacity-building structures and platforms to coordinate capacity-building efforts and map the capacity-building needs of countries worldwide.

Egypt and Mexico both suggested that the POA should lay the groundwork for international cooperation around capacity building. Egypt added that it should facilitate and monitor the implementation of the agreed framework through the provision of tailored capacity-building programmes, and Mexico focused instead on the role of the POA as a platform to exchange information, experiences, and best practices related to the prevention and mitigation of cyber incidents.

Czechia proposed that the POA could be used as a platform to exchange views and ideas and act as a coordinator for donor efforts and mapping the needs of recipient countries.

New proposal! The PoA’s role in norms implementation

The EU noted that the PoA could guide national efforts to implement frameworks of responsible state behaviour by supporting the exchange of best practices and lessons learned, implementing relevant norms through concrete capacity-building projects, and cooperation with the private sector that owns many critical infrastructures in states.

New proposals! What should be under PoA’s purview: developing new norms and new CBMs, measures to address threats

The EU and Czechia think that the PoA should have the flexibility to develop new norms and in the case of the EU, new CBMs

Australia and Mexico proposed that existing and emerging threats and measures to address them should also be in the scope of the PoA, with Mexico suggesting that the exchange of information, experiences and best practices related to the prevention, management and mitigation of cyber incidents could also be included in the PoA. The Mexican delegation also believes that the PoA could serve, in the long term, as an umbrella instrument under which the efforts of other parallel mechanisms could converge.

Additionally, diverse views have been shared on how the PoA could be organised, how often the review of the programme should be conducted, and which structure and format of work it should have, including annual meetings, intersessional meetings, review conferences, and technical working groups. 

A group of countries that opposes the PoA, shared different views on the future regular institutional dialogue. For instance, Russia stressed that the agenda of the PoA is considerably narrower than that of the OEWG, and that the Western countries attach very specific political meaning to the PoA, publicly promoting it as an anti-Russian course. Instead, for the future regular institutional dialogue, Russia continues advocating for other modalities for the future process, where, as proposed, among other points, only accredited non-state actors should be allowed the right to participate in official events as observers. 

China added that some states ‘tried to impose a UNGA Resolution on a PoA last year’ and split the UN process on ICT security and undermine the OEWG’. The Chinese delegation stressed that in accordance with the OEWG mandate, ‘there is only a regular institutional dialogue, and there is no so-called PoA’. China proposed that the future mechanism should be developed based on two principles: (1) upholding the agreed-upon framework and (2) formulating new international rules in response to evolving situations, particularly data security issues. However, no concrete suggestions on the future regular institutional discussion came from this group.

In the meantime, other delegations did not directly express views on the PoA during this session but rather called for avoiding polarisation and the duplication of efforts.

A new proposal! A new UN negotiation process in 2026 to establish the modalities of the future regular institutional dialogue

Brazil called for a single-track discussion in the UNGA and proposed that the OEWG’s final report recommends the UNGA start a negotiation process throughout 2026, culminating in a high-level meeting to endorse a document that would, on the one hand, consolidate and reaffirm the agreed upon framework, and on the other hand, establish the modalities of work of the future regular institutional dialogue.

A new proposal! A permanent UN body on cybersecurity

Microsoft advocated for establishing a permanent UN body on cybersecurity. This body would incorporate expertise from diverse stakeholders and promote meaningful multistakeholder engagement. Microsoft proposed core principles for this mechanism, including practical support and funding for implementing cyber norms, the protection of human rights, flexibility to respond to emerging threats, and discussions on safeguarding global ICT supply chains. Additionally, Microsoft emphasised the need to preserve the sanctity of humanitarian data, ensuring they remain off-limits to cyber harm.

Next steps 

The OEWG will meet for its 5th substantive session from 24 to 28 July 2023, when the chair is set to present the draft of the 2nd OWEG APR. States will negotiate the text of the report and are expected to adopt it on 28 July. 

By Andrijana Gavrilović, Anastasiya Kazakova, Salomé Petit-Siemens

Related resources

Load more
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.

Subscribe to Diplo's Blog

Tailor your subscription to your interests, from updates on the dynamic world of digital diplomacy to the latest trends in AI.

Subscribe to more Diplo and Geneva Internet Platform newsletters!