First UN OEWG concludes with a consensus report – what does it mean for future cybersecurity discussions under the auspices of the First Committee?

Final substantial session of the OEWG

The final substantive session of the United Nations Open-Ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security (OEWG) took place from 8 – 12 March 2021. Week-long negotiations on the final report were intense and full of exchanges of views on the cyber stability framework created with previous Group of Governmental Experts (GGE) consensus reports from 2010, 2013 and 2015.


The OEWG was the first format that brought ICT-related discussions to the big floor of the United Nations (UN) where all UN member states had the chance to take part and to discuss what kind of issues should be addressed in the future consensus report of the OEWG. States also turned their focus to what should be agreed during the final meeting, and to what the future may hold for further formats under the UN First Committee.


The final round of negotiations revealed substantial proposals regarding the first draft report distributed by the chair of the OEWG. Like the GGE, the OEWG works on consensus, which prompted concerns over how delegations can reach common views on the final report given their considerable differences, especially on the topic of international law and regular institutional dialogue.


However, there was a discernible will to make the first OEWG a success and adopt its first consensus report which would form, alongside the GGE consensus reports, a basis for further work. The final report was tabled by the Chair on Thursday and during the last day of week-long hybrid meetings, delegations, although expressing some concern regarding the content, approved the final text.


Although the content of the consensus report is not particularly exceptional, it shows the desire for discussions on ICT security and a framework for responsible state behaviour in cyberspace. The added value of the report is that it represents a considerable step forward from the 2015 GGE report, given that the last GGE failed to reach consensus due to conflicting views on international law and did not manage to agree on a final text. In this overview, key takeaways are addressed, and some thoughts presented as to how work under the UN continues.


Which comes first – international law or voluntary norms?

One of the main differences from previous substantive sessions is the structure of the consensus report. During discussions reflecting different views on voluntary norms, international law, capacity building and confidence-building measures there was a valuable overview of where states are working towards consensus and which topics are sensitive and controversial.


It was no surprise that one of the main areas of disagreement was international law, even in whether or not international law should be addressed before voluntary and non-binding rules of responsible state behaviour. There were various views presented. Many delegations argued that international law must be addressed first as it represents, alongside rights, legally binding obligations for states. Voluntary norms are complementary to those obligations. Others countered this position as positioning norms before international law as was done in the 2015 GGE report, and that norms are less controversial than international law. In the end, the switch was made, and international law part was moved to the third topic in the report.


On international law, the most relevant part is paragraph 34 which confirms General Assembly (GA) resolution 70/237 which adopted the 2015 GGE report by consensus. The delegations also reaffirmed the importance of the UN Charter and the need to refrain from taking measures not in accordance with international legal obligations. Although several important areas of international law were not mentioned in the international law section, it can be considered as an important confirmation of previous acqui and includes several of those areas such as international humanitarian law, international human rights law, the law of state responsibility, due diligence, the principle of non-intervention, the prohibition on the threat or use of force and the inherent right of self-defence.


The report also emphasises that, when disputes do arise, states should seek settlement by peaceful means using the language of Article 33 of the UN Charter. Working towards common understanding regarding international law issues – including how international law applies to state use of ICTs – is one of the primary aims of the exchange of views. This is closely related to capacity-building efforts, which means that in addition to building technical capacities, international law should become a significant part of those efforts.


One of the most disputed parts was paragraph 80 of the final observations which addresses the decades-long discussion on a cyber-specific legally binding instrument (LBI). The Report has a statement that new ideas and proposals were mentioned during the deliberations, including the possibility of producing an LBI, but that it was not agreed by all states.


Discussion on discussions

The second key part of the report is the additional documents added to the report itself. The zero draft on which previous substantial sessions and informal sessions have been based also included a broad exchange of views. This part gave an overview of topics where most states found common ground and which are those where further work needs to be done.


Given the rather lengthy Report, several states suggested it should focus on the common conclusions and recommendations by the group and that the discussions should be a separate annex. However, others argued that details of the discussions were crucial as they reflected the broad range of positions and ideas mentioned during nearly two years of negotiations. In the final report, the various states agreed that, in the name of consensus, they would accept that it would be a separate document titled “chair’s summary”. It would not, however, lose its importance as it reflects in a balanced manner what the key points to be discussed during future gatherings should be depending on the formats that these gatherings will have. Like the report and the cyber stability framework itself, it includes all four pillars.


The summary also includes an annex with a specific language proposal on norms drawing on 16 submissions presented by delegations or groups of nations. For example, Canada provided detailed proposals on how to operationalise and implement agreed norms. The importance of such proposals provides added value, especially given that the OEWG has mainly focused on how to implement the 11 agreed norms of the 2015 GGE report.


Some states expressed frustration with some of the proposals, saying that their own suggestions were not considered and that the report seems to be biased towards a certain group of states. Views were expressed by some who felt that their red lines had not been included, and states should work towards an LBI. During negotiations and given the chair’s summary, it was clear that most positions have remained as they have been for decades and that polarisation has remained. However, the first step has been made towards having all stakeholders take part.


The future is now

The third and perhaps most important part of the negotiations and the Report has been the regular institutional dialogue on what kind of form the discussions on state use of ICTs will take in the UN First Committee. One thing is sure – states agree that these discussions must continue under the auspice of the UN. Many delegations expressed their view that the OEWG itself has been capacity-building and a positive example of how to work multilaterally on cybersecurity issues, whether it be cyber diplomacy in general, international law, or how to encourage trust and cooperation between states.


Coming to more specific proposals, two ideas have been presented. The first was tabled by the Russian Federation and is a resolution that would establish a new OEWG for the period 2021 to 2025. This resolution passed during GA voting, but the OEWG is still established in a temporary manner which could prove difficult if discussions continue beyond 2025. Thus, in addition to the newly established additional OEWG, France and Egypt and almost fifty other states from all continents – including all European Union member states, Japan, Argentina, Colombia – proposed a different approach called a Programme of Action (POA).


At the end of 2020, a joint contribution was distributed which addressed the topic of future discussions on ICTs and cyberspace at the UN. In the concept note, the sponsors highlighted the continued appetite for inclusive and transparent forums where state use of ICTs could be discussed. However, as the groups so far established under the First Committee have been temporary, it would be beneficial to have a permanent group that would be more structured but still flexible enough to allow ‘consensus-driven, action-oriented and transparent dialogue between states, more multi-stakeholder engagement and acknowledges the importance of capacity building and reliable coordinated efforts’.


The POA initiative found wide support as it brings two parallel processes under the same roof and would allow a focus on the existing framework while engaging broad participation and working towards providing guidance on specific issues for the cyber stability framework. Although some states opposed the idea of the POA, the Report emphasises the POA in Paragraph 77, stating that a variety of proposals had been made on how to advance responsible state behaviour and to support the capacities of states in implementing commitments in their use of ICTs, particularly in the POA. It recommends that: ‘the Programme of Action should be further elaborated including at the Open-Ended Working Group process established pursuant to General Assembly resolution 75/240’.


This raises the final issue: what the OEWG-wide consensus and additional proposals for a new OEWG and POA mean for the process of the GGEs. The final session of the sixth GGE will take place at the end of May 2021 and its members will also be seeking a consensus report. We will know the options by the beginning of June 2021. However, the process of the OEWG states that there is a continued will to work together in the name of accord and the ultimate result of this process – a consensus report – would be best described as the optimal result and a compromise with which all states can be ‘half-way happy’.


Author: Maria Tolppa, NATO CCDCOE Law Branch

 This publication is a part of the INCYDER database, a research tool on International Cyber Developments (INCYDER), established by NATO CCDCOE to facilitate the work of researchers, lawyers, policy-makers and other cyber security-related practitioners. INCYDER offers up-to-date overviews and easy access to the most relevant legal and policy documents adopted by international organisations active in the cyber security domain along with practical summaries and analysis of recent trends within these organisations written by CCDCOE researchers.


This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.


← Library