We use Google Analytics to learn more about who is reading the resources on our website. Please read Google Analytics privacy policy for further information. Close

logo_reaching-critical-will

Cyber Peace & Security Monitor, Vol. 2, No. 2

Restart or reset? OEWG II gets underway
10 December 2021

Allison Pytlak

Download the full edition in PDF

There is a noticeable sense of momentum within the United Nations (UN) around cyber peace and security these days. The UN Secretary-General (UNSG) prioritised the issue and identified cyber warfare as a key strategic risk in his recently released Our Common Agenda. He suggested a ban on cyberattacks against critical infrastructure and de-escalating cyber-related risks and tensions as possible elements of a new peace agenda. The UN’s Working Group on Mercenaries released a report in which it assesses the role and impact of cyber mercenaries on human rights and makes some very specific recommendations to other UN bodies dealing with these issues. Other UN human rights experts have called for a moratorium on the sale of spyware. References to cyber threats and online networks are cropping up more frequently within UN frameworks on nuclear and autonomous weapons, as well as on small arms, alongside a growing number of relevant research initiatives. Despite misgivings from many states and stakeholders about a new initiative to develop a cybercrime treaty via the UN General Assembly (UNGA) Third Committee, preparations are underway for a January meeting of that process’s Ad Hoc Committee.

Meanwhile, the two processes established in 2018 by the UNGA’s First Committee both adopted substantive reports earlier this year, thus bringing to a close their respective work as well as a bifurcated process on cyber peace and security. This was followed by the adoption of a single resolution on cyber and information and communication technologies (ICTs) during the 2021 First Committee session, after two years of the so-called duelling resolutions from Russia and the United States. 

Considering how long the topic of ICTs, a.k.a. cyber, has been on the UN’s agenda, the current surge in attention and priority is not only welcome but overdue, not least considering the pace of technological development and the explosion of cyber threats we are facing. This surge should give impetus to the UN’s second open-ended working group (OEWG II) as it has its first substantive session this month. The group’s predecessor, OEWG I, began its work in a politically hostile climate but eventually cultivated a strong sense of constructive energy and trust among its participants, enabling the consensus adoption of a final report—hailed as a win for multilateralism and diplomacy, but certainly involving concessions from many states. The OEWG I final report was complemented by a substantive report and compendium of views from its counterpart, the sixth Group of Governmental Experts (GGE), released just two months later.

Despite the current goodwill and constructive spirit, many of the underlying issues that divided states during OEWG I and in the GGEs haven’t disappeared. Moreover, it cannot be overlooked that in parallel to the momentum in the UN there is also undeniable momentum in the severity and scale of malicious cyber operations occurring in real time, which demand meaningful and effective response.

At the outset of OEWG I in 2019, a common remark was to “not start from scratch,” meaning that states should not overlook or seek to undo the existing acquis of agreements and affirmations from past UN processes. This continues to be a relevant message for the restarting of OEWG sessions, as the new group seeks to build on the work of its predecessors. But that shouldn’t hinder the potential for evolution either; and in a few areas, it may just be time for a factory reset.

Scratch lines

The OEWG II’s provisional programme of work is guided by the resolution that established the group. It will mainly follow the same six topics as did OEWG I—threats; rules, norms, and principles; international law; confidence-building measures (CBMs); capacity building; and regular institutional dialogue. These topics are deeply interconnected. One of the balancing acts facing the new group will be respond to the issues that require urgent attention while not giving short shrift to the others.

At the conclusion of OEWG I, the stickiest issues were moved into a Chair’s summary of the process, which is a non-negotiated document issued by a conference or meeting chairperson to accompany a negotiated report. It is a way to reflect points that were made but did not enjoy sufficient support or consensus to be included in the adopted report. The adopted OEWG I report was ultimately structured in a way that focuses on conclusions and recommendations. 

Important among the items that did not survive into the adopted report was a reflection of the high degree of support from most—but not all—states on the applicability of international humanitarian law to cyber space.

Per our reporting, other areas that were also contentious at the end of OEWG I included:

  • How exhaustively and prescriptively to name the different types of critical infrastructure
  • Whether to affirm the applicability of the UN Charter “in its entirety”
  • Whether and how to define which legal principles are or should be applied to state behaviour in cyber space
  • The ordering of norms vis-a-vis law
  • Whether to welcome or include reference to past UNGA resolutions that approved reports from earlier UN GGEs by vote, versus those adopted by consensus
  • Tech neutrality
  • Concerns about the development of ICT capabilities for purposes that undermine peace and security, and for military purposes
  • If the call for states to submit views to the UNSG and to establish national points of contact in relation to capacity-building should be voluntary or not
  • The possibility of developing legally binding obligations
  • Reconciling very different views on if and how to reference OEWG II and the proposal for a programme of action (PoA) on cyber.

Any of the above could be a trigger for debate, some more than others. At the close of OEWG I, a few states even disassociated with parts of the final report while others expressed discomfort at certain concessions or raised points about the costs of consensus-based decision-making. 

There is some residual skepticism about OEWG II as a forum, left over from how it was established in 2020 in a move at the UNGA First Committee by Russia that many states felt was premature. Given the growing support for creating a cyber programme of action (PoA)—intended to be a politically-binding and “action-oriented” instrument—OEWG II is under some pressure to demonstrate it can not only maintain the largely constructive spirit of OEWG I, but also have impact, lest it be eclipsed by the PoA.

One way for the OEWG II to not start from scratch would therefore be to advance on or survey progress made on some of the tangible recommendations contained in the OEWG I report or build on proposals made through working papers and other submissions. The guiding questions set out by OEWG II Chair Ambassador Burhan Gafoor of Singapore for the December session will be useful in this regard as well as for identifying priorities. Many of them ask what role the OEWG can play in facilitating national or regional actions such as norms implementation to information-sharing, matching needs, and clarifying or building policy. Others ask broader questions, such as about the potential development of new norms; most sections touch on the role on non-governmental actors.

Reset

Which brings us to a point where a reset is sorely needed. The standard UNGA modalities for non-governmental stakeholders to apply for accreditation and registration to formal sessions were exploited by a handful of states in OEWG I, who blocked the participation of multiple legitimate actors but who lack UN Economic and Social Council (ECOSOC) status. To garner wide input to the OEWG from some of these actors, many of whom play an active role in implementing the UN cyber norms, the OEWG I chairperson and supportive states facilitated several ad-hoc informal dialogues and events, such as the Let’s Talk Cyber initiative. While these were well-attended and successful, including for fostering a sense of community, they were not intended to become a permanent substitute for the meaningful inclusion of civil society in the formal meetings. 

It was therefore widely hoped that OEWG II might bring about new modalities. During an organising meeting held in June, several states spoke to this issue and came with proposals for OEWG II, based on other relevant UN and multilateral processes. This issue was left as “outstanding” at the end of that meeting, with the understanding that more consultations would be held, and a proposal made. Subsequently, one of the Working Groups of the Paris Call for Trust and Security in Cyberspace put out a study on the need for greater inclusivity in the UN dialogues on cyber security, while representatives of other civil society organisations, including WILPF, co-authored a report to highlight good practice on civil society inclusion in other processes. 

It was therefore disappointing to many when a letter from the Chair published in mid-November set out that he had taken a decision to use the same modalities as OEWG I. This means that accreditation requests to join formal meetings would go through the usual procedure in which states can object to an application, and that other informal consultative meetings can be arranged. The Chair does commit “to engaging with stakeholders in a systematic, sustained, and substantive manner” and sets out a plan to have, as of 2022, day-long informal consultations a few days in advance of planned formal OEWG sessions. 

In December, however, there’ll be only one 90-minute consultation held during a lunch break in which stakeholders can deliver remarks of two minutes in length. 

In response, more than 40 member states and close to 150 non-governmental representatives sent a letter to the Chair on 9 December, outlining their concerns.

It's possible that states won’t object to formal accreditation requests this time around, but if so, a minimum ask would be that objections are accompanied by an explanation, particularly when the organisation in question has a credible track-record of work on cyber peace and security.

Excluding civil society from OEWG II or making it challenging to join will only be detrimental to the process—both its credibility and its impact. “The discussion of the OEWG agenda and the implementation of its outcomes cannot be done by governments alone,” notes one of the aforementioned studies. The discourse on stakeholder participation must change from “if” to “how” we are involved. 

Moving to action

Adopting or issuing reports and statements are important for multilateralism and awareness-raising, but what is necessary is that commitments are implemented and actioned outside the halls of the UN. “Ultimately, success depends not on the report but on our collective determination to implement the commitments made today,” noted the representative of the Czech Republic in closing remarks to the OEWG I third substantive session.

In this vein, it is vital that the OEWG not become just another talk shop. The 2021 joint statement from civil society to the UNGA First Committee described a range of cyber operations and threats which speak to the “the far-reaching impacts of aggressive action in cyberspace.” The statement further underscores that, “Such actions demonstrate that the legal ambiguities surrounding the application of international law to state behaviour in cyber space are being exploited, and that relevant norms against such behaviour are not being respected.”

Many in civil society had hoped that OEWG I would produce some form of accountability mechanism or framework. It did not, despite more than a few working papers and proposals to this end. Closing the cyber accountability gap and fostering transparency will continue to be a priority message for many, including WILPF.

More positively, however, OEWG I helped propel certain new issues to the international agenda that had not previously been well-accepted or often discussed. One example is growing acceptance of human-centric approaches to cyber peace and security, and within that, an examination of the gendered impact of cyber operations as well as the value of women’s participation in all aspects of the sector, which was further bolstered by the Women in Cyber fellowship programme.

Whether restarting or resetting, it’s going to be important that states not let an approach of “not starting from scratch” limit the potential for evolution and growth. Whether it be new cyber norms, new concepts, or reacting to new threats, the time for urgent action for cyber peace is now.

[PDF] ()